PRIVACY POLICY
AT THE BUS PRIVACY POLICY
Date Published: July 2024
This is the GDPR and Privacy policy for AT The Bus, a registered charity number 1181294.
The General Data Protection Regulation Act 2018 regulates the processing of information relating to living and identifiable individuals (data subjects). This includes the obtaining, holding, using or disclosing of such information, and covers electronic and manual records. Data users must comply with the data protection principles of good practice which underpin the Act. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. AT The Bus fully endorses and adheres to the General Data Protection Regulations, as set out in the General Data Protection Regulations 2018.
To do this AT The Bus follows the main Data Protection Principles outlined in the General Data Protection Regulation 2018, which are summarised below:
I. Personal data will be processed fairly and lawfully II. Data will only be collected and used for specified purposes III. Data will be adequate, relevant and not excessive IV. Data will be accurate and up to date V. Data will not be held any longer than necessary VI. Data subject’s rights will be respected VII. Data will be kept safe from unauthorised access, accidental loss or damage VIII. Data will not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data.
AT The Bus is a Data Controller for information collected from individuals and this privacy policy sets out the basis on which personal data will processed by us.
Please contact us via info@atthebus.org if you have any queries about this policy. The person in our organisation responsible for data protection is Maggie Scott, CEO.
-
Our data principles
-
We will respect your privacy and do our utmost to protect it at all times, including through using appropriate security technology.
-
We collect and use data only if we have a lawful basis to do so.
-
We will be clear in our communications as to what information we collect and how we use it.
-
We will use personal and sensitive data only for the stated purposes for which it was collected and we will make sure we delete it securely.
2. Data format
We regard data to have a wide meaning, including the the following formats: • Photographs • Video • Sound recordings • Written (paper) and electronic media (including Word, Excel and pdf files).
3. The data we collect
a. Children attending AT The Bus
We collect data to enable us to provide therapeutic support for children in school. This involves collecting referral information from schools to tell us what we need to know in order to provide an effective intervention. This includes
Name • Date of birth • Gender • Ethnicity • Pupil Premium • UPN (Unique Pupil Number) • Access to services • Relevant data from schools for example on attendance, academic progress or wellbeing • Medical and Special Education
Needs and Disability information
Safeguarding is an absolute priority. We may collect additional information that we need to know in order to keep children safe when they are attending our sessions.
In order to run an effective therapeutic intervention we also keep brief, relevant notes about the sessions that we run.This information is stored internally and may be shared with the child’s school as required in the child’s best interest. We will only share with other agencies as required by law.
All records about children are kept securely for as long as is necessary.
b. Evaluation of efficacy
We may also collect information to assess the effectiveness of our work, checking on children’s progress in our sessions and at school. This can be through formal questionnaires or qualitative lived experience feedback. Consent is sought in advance. We work with partners (for example Universities) to ensure rigour in evaluation, and we may share anonymised information with these third parties.
c. Employer and contractual relationships
We also have to collect data to ensure that we can fulfil our responsibilities as a charity (for example in relation to Trustees), as an employer or to enable an effective contractual relationship with a supplier or contractor.
This may include • References • Passport / other ID details • DBS information • Health information • Banking details • National Insurance number • Personal addresses and emergency contact information.
Some details are obtained at the recruitment stage and some during the course of employment.
d. Fundraising activity
To identify individuals and organisations that may enter a funding or contractual relationship with us, we may collect information about individuals and organisations, to include: • Name • Position • Phone number • Email • Work address • Donations and funding amounts • Any notes from meetings held with individuals or representatives from these organisations.
We may use personal information in conjunction with other third party data we may receive to carry out research to determine whether they would be interested in hearing more about us and/or being involved with our charitable work. We may use publicly available information from third party sources such as Google; Companies House; published biographies and publicly available LinkedIn profiles. Occasionally we may also research any key networks that the individual is publicly known to be a member of, such as on the board of a not-for-profit or philanthropic body which may have relevance to our activities.
We may also use profiling to produce short biographies of people who are due to meet with our leadership or attend an event that we may be hosting. This helps our people to understand more about those we engage with, and their interests or connection to us.
As a registered charity, we are subject to a number of legal and regulatory obligations and standards, which we take seriously. The public naturally expect charities to operate in an ethical manner and this is integral to developing high levels of trust and demonstrating our integrity. This means that we may carry out appropriate due diligence of donors, check donations and implement robust financial controls to help protect the charity from abuse, fraud and/or money laundering.
4. Sharing data
We will only use your information for the purposes for which it was obtained. We will not, under any circumstances, sell or share your personal information with any third party for their own purposes, and you will not receive marketing from any other companies, charities or other organisations as a result of giving your details to us.
On occasion we may share information with trusted third parties.
These include:
-
The schools we work with using schools’ safeguarding systems
-
Contractors who may do work for us
-
Other partners, such as Universities who may be undertaking research activity
-
Where legally required: We will comply with requests where disclosure is required by law, for example, we may disclose your personal information to the government for tax investigation purposes, or to law enforcement agencies for the prevention and detection of crime. We may also share your information with the emergency services if we reasonably think there is a risk of serious harm or abuse to you or someone else.
-
Third party suppliers: We may need to share your information with data hosting providers or service providers who help us to deliver our services, projects, or fundraising activities and appeals. These providers will only act under our instruction and are subject to pre-contract scrutiny and contractual obligations containing strict data protection clauses.
-
In order to undertake safe recruitment practices, for example accessing references from previous employers
-
Payment Processors: To process payments (including donations and payroll services), we need to pass some personal information to one or more of the following suppliers. Our current providers are Paypal, Justgiving. Oxford Payroll Partners, Strictly Education Ltd, Oxford University, West London Zone, The Big Give, The Charity Commission.
If we have concerns about a child’s welfare or safety or if we are legally required to provide the information we will share information with other parties, in the child’s best interests. In particular we always work in close partnership with children’s schools and will follow their guidance regarding sharing of information.
We will always share data in a secure manner, ensuring that it is kept safe and only those authorised to view it may do so. Where appropriate data will be anonymised, or where we need to hold personal information this is password protected and held securely on our systems.
5. Special categories of data
Data protection law recognises that certain types of personal information are more sensitive. This is known as 'sensitive' or 'special category personal information data’ for the purposes of the GDPR and covers information revealing racial or ethnic origin, religion, philosophical beliefs and political opinions, trade union membership, genetics, biometrics (where it is used for ID purposes), information concerning health or data concerning a person's sexual orientation, or sex life.
Sensitive information will only be collected where necessary, for example, we may need to collect health information as part of our recruitment processes. Clear notices will be provided at the time we collect this information, stating what information is collected, and why.
In addition, we may process special categories of data, such as information about ethnic origin. We may also collect information about whether or not applicants are disabled to make reasonable adjustments for candidates who have a disability. We process such information to carry out our obligations and exercise specific rights in relation to employment.
6. How we collect information:
a. When you directly give us information - We may collect and store information about you when you interact with us.
For example, this could be when you:
-
get in touch with us via phone, website or other method of communication;
-
support our work through a donation
-
fundraise on our behalf
-
register for an event
-
submit an enquiry
-
register for or use our services
-
participate in our training
-
give us feedback
-
make a complaint
-
apply for a job
-
enter into a contract with us
b. When you indirectly give us information - when you interact with us on social media platforms such as Twitter or Instagram we may also obtain some personal information about you. The information we receive will depend on the privacy preferences you have set on each platform and the privacy policies of each platform. To change your settings on these platforms, please refer to their privacy notices. AT The Bus has no ownership over these websites who may process your data for their own purposes if you choose to use them.
We may obtain information about your visit to our website, for example the pages you visit and how you navigate the site, by using cookies. Please see our Cookies Policy.
c. When you give permission to other parties to share it with us - Your information might be shared, with your consent, by other organisations such as Just Giving. These independent third parties will only do so when you have indicated that you wish to support AT The Bus, and only with your consent.
You should check their Privacy Policy when you provide your information to understand fully how they will process your information. We may also obtain information about you from a family member or a friend who contacts us on your behalf or if a fundraiser passes on your details to us.
7. Legal basis for holding and processing data
The GDPR sets out six reasons why we may lawfully process your personal information. When we process your personal information, we will ensure that we comply with one of these six lawful basis.
a. Where processing your data is within our legitimate interests
We are allowed to use your personal information where it is in our interests to do so, and those interests are not outweighed by any potential prejudice to you.
We don't think that any of the following activities prejudice individuals in any way. However, you do have the right to object to us at any time about processing your personal information on this basis. We have set out details regarding how you can go about doing this in the section on your rights to your data. Further, when we contact you by e-mail, we will include an option for you to unsubscribe or alter the method with which we interact with you, at the end of the e-mail.
We process on the basis of our legitimate interests for:
-
The data we collect and share with schools so that we can make cohort selections and deliver our services is done - in the public interest – i.e. it is needed as part of the school’s delivery of educational provision in the public interest, and - on the basis of the legitimate interests condition – i.e. we a need the data to deliver our services to the participants and for the school; we believe this also benefits the participants themselves, and is not outweighed by the privacy rights and expectations of the pupils or their parents/guardians.
-
Any Special Categories of Personal Data will be processed on the basis that the School is delivering a statutory and government purpose (educational provision) and the data is required as part of an assessment of the Participants – i.e. so we can provide confidential advice. Profiling and analysis: This will help us communicate with you in a more focused, efficient and cost effective way, helping us reduce the chances of you receiving inappropriate or irrelevant communications
-
Recruitment: We have a legitimate interest in processing personal information during the recruitment process and for keeping records of the process. Processing data from job applicants allows us to manage the recruitment process, assess and confirm a candidate’s suitability for employment and decide to whom to offer a job. We may also need to process data from job applicants to respond to and defend against legal claims.
-
All information on employee bank details, pension details, and tax details are processed on the basis of fulfilling the employment contract or because we have a legal obligation to perform the processing. Other employee details will be processed by consent.
b. Where you give us your consent to process your personal information
We are allowed to use your data where you have specifically consented. In order for your consent to be valid:
-
You have to give us your consent freely, without us putting you under any type of pressure;
-
You have to know what you are consenting to – so we'll make sure we give you enough information to make an informed consent;You should only be asked to consent to one processing activity at a time
-
You need to take positive and affirmative action in giving us your consent – we're likely to provide a tick box for you to check so that this requirement is met in a clear and unambiguous fashion.
c. Where we have sought your consent, we will only process for the purposes we specified at the time you provided your data. However, in the future we may wish to process your data for a different purpose as long as the new purpose is one you might reasonably expect and we will notify you of it beforehand, seeking fresh consent if required.
d. Where processing is necessary for us to carry out our legal obligations
As well as our obligations to you under our contract, we also have other legal obligations that we need to comply with and we are allowed to use your personal data when we need to in order to comply with those other legal obligations.An example of a legal obligation that we need to comply with is our obligation to cooperate with tax authorities.
e. Where processing is necessary for the performance of a contract between you and us
We may have a contract or other agreement in place with you, for example as a volunteer, or as a supplier. In order for us to complete our obligations under this contract, we are permitted to process your personal information in furtherance of this contract. If we are discussing matters with a view to enter into an agreement, then the GDPR permits us to process your personal information in this instance also.
8. Keeping information secure
To prevent unauthorised access or disclosure, to maintain data accuracy, and to ensure the appropriate use of the information, AT The Bus will take all reasonable and appropriate procedures to safeguard the information we collect and process. In particular, when transferring confidential or sensitive/ special category information we will protect it appropriately. These measures include password protection and secure storage.
We use technical and corporate organisational safeguards to ensure that your personal information is secure. We limit access to information on a need-to-know basis and take appropriate measures to ensure that our people are aware that such information is only used in accordance with this Privacy Notice.
9. Retention of data
AT The Bus will retain your data only as required or permitted under data protection law and while it has a legitimate purpose for doing so.
We will keep your personal information in respect of financial transactions for as long as the law requires us to for tax or accounting purposes (which may be up to seven years after a particular transaction).
Data will be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
In the case of people applying for jobs / volunteering opportunities, all information collected on applicants will be permanently deleted after 12 months from application.
In the case of people employed or volunteering with AT The Bus, all information will be permanently deleted after 6 years from the end date of employment.Please note that in certain circumstances, we may hold this data for a longer period if for example we believe in good faith that the law or relevant regulators require us to preserve your data.
Children’s data will be held for as long as is required by law.
10. Your rights
AT The Bus adheres at all times to data protection legislation (currently the Data Protection Act 2018), which provides the following rights for individuals: 1. The right to be informed 2. The right of access – see further detail below 3. The right to rectification 4. The right to erase 5. The right to restrict processing 6. The right to data portability 7. The right to object 8. Rights in relation to automated decision making and profiling. This policy outlines our approach to ensuring these rights are met and maintained. If you have any concerns or questions relating to your rights regarding personal data, please contact the person name above as the data protection contact.
11. Withdrawing consent
Where we need your consent in order to process your personal data, you have the right to withdraw consent at any time. To unsubscribe or withdraw consent, please email info@atthebus.org.uk.
12. Accessing your data
You have the right to access the data we hold on you or your child(ren) at any time. You also have the right to request that AT The Bus rectifies or deletes any data we hold on you or your child(ren), at any time. Requesting access to your data will not affect your relationship with AT The Bus or your child’s school.
Children over the age of 13 may request access to their information themselves.
13. Data Breach
We take the protection of all data seriously and will take steps as outlined in this policy to prevent data breaches as far as possible. If a breach does occur it will be immediately reported to Maggie Scott, our CEO with responsibility for data protection, and a full investigation will be undertaken to consider what steps are required. We will urgently notify all affected parties of any breach and the action that we are taking.
14. Concerns and complaints
If you have any concerns or a complaint regarding our collection and use of your data or a possible breach of your privacy, please email info@atthebus.org.uk. Alternatively, you can write to us at AT The Bus, The Cherwell School, South Site, Marston Ferry Rd, Oxford OX2 7EF We will aim to ensure that your complaint is resolved in a timely and appropriate manner. If you remain unhappy you have the right to complain to the Information Commissioner. You can find out more information about this at: www.ico.org.uk
15. When this privacy policy applies
This privacy policy applies to all of the information dealt with by AT The Bus as a data controller. This privacy policy does not provide information on the data management of other organisations, including those that we share data with or for whom we provide links on our website. For more information on how any of the other organisations mentioned in this policy deal with personal data please read their privacy policies which should be accessible through their websites.
Add paragraph text. Click “Edit Text” to update the font, size and more. To change and reuse text themes, go to Site Styles.