What this policy covers
Updated: 24 May 2018
This policy explains how Royston Youth Action (RYA) uses, stores and protects any personal data it manages through the provision of its programmes and membership services.
RYA takes its obligations to any personal data held very seriously and has updated this policy to accommodate new General Data Protection Regulation (GDPR) that come into effect on 25 May 2018.
We may update this policy from time to time to provide additional information or clarity. This page will be the master copy of our policy and we encourage users to regularly check for any updates.
Our intention is to try and use plain English and youth work terminology as far as possible under our requirements for this policy. Any use of ‘us’, ‘we’ or ‘our’ etc. refers to RYA. Any use of ‘you’, ‘your’ or ‘you’re’ refers to the user of our services. There are some legal terms used out of necessity but please get in touch if you require clarification on any of this policy.
There is a downloadable version of the same text at our website. You may also request a physical copy by writing to us.
To contact us regarding this policy
please e-mail: email@example.com
or write to: RYA, 325 Royston Road, Glasgow, G21 2BS
Please note a physical copy will only be current at time of issue.
Controller of Personal Data
Any personal information provided to or gathered by RYA is controlled by Royston Youth Action, Scottish Charity No. SC006351. A company limited by guarantee No: 205806, registered in Scotland. C/O T C Young, 7 West George Street, Glasgow, G2 1BA.
General Data Protection Regulations (GDPR)
The General Data Protection Regulation (GDPR) takes effect from 25 May 2018. GDPR is an evolution of the existing Data Protection Act (DPA) and Data Protection Directive. It is intended to give us all a greater visibility and control of our personal information (referred to as personal data).
Personal Data is defined as, “.. ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.”
What this means is any information an organisation holds that could be used to identify a person, counts as personal data.
You can find out more about GDPR and how the Information Commissioner’s Office (ICO) applies it to UK organisations on their website www.ico.org.uk
Child Protection and Privacy
RYA operates in the youth sector, interacting with young people from 5 years+. Where relevant, and if there exists a conflict, Child Protection legislation and policy supersedes GDPR.
Types of information
Information, or data, that we hold is done so on a consent or legitimate interests basis, meaning that we hold and use information based on your permission (consent) to do so, such as providing your email address and name when you sign up to our e-mail newsletter, or on the requirement for that information to provide our services (legitimate interests).
Information you give us
You provide us with information when you use our services. This may be a membership form, a consent form or registering for training we provide. In all cases you choose to provide the information requested to that we may provide the service.
Information will typically be provided to us via a form. This form may be accessed online on our website or via a physical form at a club session.
Information that technology gives us
Information is sometimes automatically passed between your chosen technology and our technology by accessing our digital services. The most common usage is website analytics and browser cookies.
Your web browser automatically passes information about itself and your device (computer/mobile etc.) to any internet location you visit. Your browser has specific settings you can adjust to limit or increase these options.
This information is often referred to as metadata and is information including: log data, information passed by your web browser like IP address or other web browser information; device information, like what type of computer or mobile device accessed our website; location information such as an approximate location while accessing our website.
We have recently established an active email newsletter and we usually receive information such as confirmation when you open the e-mail but only of your technology and services permit it.
How information is used
We use any information you provide to us to fulfil the service or services related to your information. For example, to apply for membership, we will ask for the information that we require according to our membership criteria. Likewise we will ask for names, emergency contact details when issuing consent forms for specific dates/events.
In essence, the information is directly related to being able to fulfil the service we set out to provide to you or that required by law.
The core uses of personal data held by RYA are:
- To provide, update, maintain and improve our services
- As required by law, legal process or regulation
- To communicate and respond to requests, comments and questions
- To send service emails and other communications essential to providing membership and services
- For billing, account management and other administrative matters
- To maintain security and standards
In addition to the core purpose we use data for, we may also use information to analyse or profile our users to fulfil legal obligations, reporting obligations and to maintain and improve our services.
This may include:
- We may use data to analyse our services, e.g. satisfaction surveys and programme evaluation surveys to see how we are doing and take on board feedback
- We may profile data on a geographical basis to ensure we comply with our constitution.
- We may profile data on age or gender basis to improve our offering and complete our annual reporting
- We may profile data for aggregated statistics to complete reports e.g. we are often required to complete annual reports for programmes we run as a contractual obligation.
Some RYA programmes, events or activities are supported or funded by other organisations. These programmes and events can require that reporting, financial and evaluation data be shared with our supporting funder or partner as a condition of contract. We will always make you aware of where this applies.
The current obligations on RYA are as follows:
Cashback for Communities
People and Communities Fund
BBC Children in Need
GCC – Integrated Grant Fund
The Robertson Trust
The Gannochy Trust
Where applicable consent has been obtained, we will share potentially sensitive personal information for the purpose of monitoring engagement, reach and impact of this programme. Where such consent is not given, all data recorded and shared will be fully anonymised.
All RYA workers and volunteers who apply for PVG scheme membership/updated provide personal data required to process the PVG Checks. These details are submitted by RYA to Disclosure Scotland via Volunteer Scotland Disclosure Service. Disclosure Scotland produce PVG certificates and share these with applicants and with RYA.
RYA never sells data to third parties.
Security and where information is stored
RYA takes every reasonable precaution to ensure any data we hold is secure and stored according to GDPR.
The following details explain the groupings for data storage, the technology involved and location.
In addition to the secure storage outlined below, access to any RYA system is always protected by the requirement for secure login to our systems. Any physically held data is protected locally by secure entry system, alarm and CCTV. Filing cabinets where used are locked.
Our membership data is stored, accessed and updated on a server backed up by the latest firewall and anti virus software compliant with GDPR. Papercopy is kept in locked cupboard to allow staff access to emergency contact and medical information if required out with office hours.
Data from website will only be used for google analytics purposes. The Website is backed up daily and is fully maintained by our website provider Business View.
Our project data is maintained in Microsoft Access or Microsoft Excel databases. These databases are stored locally on a secure server; users must be physically on RYA premises, sign in to a centrally managed profile and have password access to each database.
RYA will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including the purposes of satisfying any legal, accounting or reporting requirements
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes though other means, and the applicable legal requirements.
To achieve this, we have grouped personal data and set the following general limitations.
Data is conserved active and current during a membership period of 12 months. Data will be held by RYA for up to 24 months after non-renewal of membership before being archived.
Projects and programmes run for varying periods of time, typically increments of 12 months by financial year. To accommodate this, we will keep data for period of time limited by project completion dates or by financial year in rolling projects. Data will be held by RYA for up to 24 months after the project completion date.
Like other organisations RYA is required to hold organisational financial records for accounting, auditing and taxation purposes.
Data will be held by RYA for up to 84 months from end of financial year.
Employee and trustee data
RYA holds various personal data on current and former employees and trustees.
Data is considered active and current during the period an employee is actively employed by the organisation or for the tenure of a trustee. Data will be hold by RYA for up to 12 months for employees and trustees and 12 months from last contract for freelancers and contractors.
PVG member applicant data
RYA holds personal data on PVG applicants whilst their PVG scheme application is being processed and until their PVG certificate has been received and a recruitment decision made. After a recruitment decision has been made we will delete the data. We will retain minimal contact details and a note of PVG certificate number on file for the duration of their active involvement with RYA in a regulated work role.
These limitations may be superseded by legal requirements placed upon RYA.
Like the majority of websites RYA uses modern technology and data provided by you and your browser to try and provide the best service and experience we can.
GDPR provides certain rights to individuals. These are how they apply to RYA.
- The right to be informed – the core purpose of this policy; we aim to tell you about the collection of personal data.
- The right to access – you have access to your personal information (often called a “data subject access request”). This enables you to ask for a copy of the personal information we hold about you. This is normally free but please note that, as per ICO guidelines, and administration fee may apply, “when a request is manifestly unfounded or excessive, particularly if it is repetitive.”
- The right to rectification – in clearer words – the right to have corrections made. This is a shared obligation between us to keep personal data as up to date as is practical.
- The right to erasure – this enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- The right to restrict processing – this enables you, where appropriate, to ask us to suspend the processing of personal information about you. For example, if you are checking the accuracy of information we hold.
- The right to data portability – in clearer words – the ability for you to take personal data from us to an alternative supplier. Less relevant to our operations but the right remains.
- The right to object – where we are using a legitimate interest basis and there is something which makes you want to object to processing on these grounds. This may mean we are unable to provide some services to you.
- Rights in relation to automated decision making and profiling – automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.