Good Things Foundation is committed to processing data in accordance with our responsibilities under data protection legislation. We want to ensure compliance of the highest level and will keep abreast of all best practices in data protection.
This policy has been drawn up on the basis of relevant legislation, namely:
- Data Protection Act 2018 ('DPA')
- Regulation (EU) 2016/679 (the 'General Data Protection Regulation'), ('GDPR')
Who we are and how we operate
We are a charity organisation and the UK's leading digital inclusion organisation. We design and deliver digital and social inclusion programmes for a wide range of partners, from central Government and local councils to private sector organisations and charitable bodies. We are the UK Government's key digital inclusion partner, working with DfE, DCLG, HMRC and NHS England/NHS Digital, among others.
Our model involves working with a UK-wide network of over 5,000 community organisations, called the Online Centres Network, both in contractual relationships and through informal partnership; and making available online learning - through an open learning platform called Learn My Way - for people with low digital confidence. We don't own or run the community organisations in the Online Centres Network: it's a network with a shared vision that we support, not a franchise.
Why this policy exists
Good Things Foundation needs to gather and use certain information about individuals. These can include customers, partners, suppliers, business contacts, employees, volunteers and other people the organisation has a relationship with or may need to contact.
Our understanding is that data protection should be by design and by default. We believe in maximum compliance, best practice, and minimising risk. This doesn't guarantee the avoidance of problems, but minimises the chance of them occurring.
This policy describes how these personal data must be collected, handled and stored to meet the company's data protection standards — and to comply with the law.
This data protection policy ensures that Good Things Foundation:
- Complies with data protection legislation and follows good practice.
- Protects the rights of staff, customers and partners.
- Is open about how it collects, stores, shares and processes personal data.
This policy helps to protect Good Things Foundation from a range of data security risks, including:
- Breaches of confidentiality. For instance, information being given out inappropriately.
- Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them.
- Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data.
Who is this policy for
This policy applies to:
- The head office of Good Things Foundation.
- All staff and volunteers of Good Things Foundation.
- All contractors, suppliers and other people working directly with or for Good Things Foundation.
It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside of the Data Protection Act 2018. This can include, but is not limited to:
- Names of individuals.
- Postal addresses.
- Email addresses.
- Telephone numbers.
And any other personally identifiable information relating to individuals.
When does this policy apply
Data Protection legislation and therefore this policy applies to any situation where personal data for a natural living person can be identified. The protection of personal privacy is very important to us at Good Things Foundation, and any personal data collected and used must be treated in accordance with current Data Protection legislation.
What is covered by this policy
The capture, storage, processing, management, distribution and secure destruction of any personal data for natural living persons connected with Good Things Foundation.
What is data protection law?
Latest data protection law in the form of the DPA 2018 and GDPR puts much stronger obligations on organisations to integrate data protection concerns into all aspects of data processing activities.
Under GDPR individuals have the following additional rights:
The right to be informed
Individuals have the right to be informed about the collection and use of their personal data. We must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with.
The right of access to data
The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. We will act on the subject access request without undue delay and at the latest within one month of receipt.
The right to rectification
Individuals have the right to have inaccurate personal data rectified, or completed if it is incomplete. An individual can make a request for rectification verbally or in writing. We will aim to respond to any such request within one calendar month.
The right to erasure
Individuals have the right to request that we erase all the personal information we hold on them. If you no longer wish your data to be in our system then please contact us and we will remove them from the system.
The right to restrict processing
Individuals have a right to request that we restrict the processing of their personal information that we have on our systems. This is an alternative to a request for erasure of personal data. However, this is not an absolute right and only applies in certain cases where doubts exists about the accuracy or lawful processing of personal data.
Right to data portability
The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine readable format. It also gives them the right to request that a controller transmits this data directly to another controller. This allows an individual to manage and reuse their personal data.
Right to object
This allows individuals to ask us to stop processing their personal data. The right to object only applies in certain circumstances. Individuals have the absolute right to object to the processing of their personal data if it is for direct marketing purposes. In other cases, the right to object is not absolute and would depend on various circumstances.
Rights related to automated decision making including profiling
Under the GDPR, profiling is the automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Where do we store data and how secure is it?
Our learner data is stored in secure data centres in London. All data is encrypted in transit and on the servers.
Most learner data is stored within this core system, however in the course of our work we sometimes need to extract data to cloud services such as Google G Suite, MailChimp or Survey Monkey which may mean some personal data is transferred outside the EU. However we are signed up to the US/EU privacy shield for these services which covers usage in this respect.
Who is responsible for our data?
Everyone who works for or with Good Things Foundation is responsible for ensuring data is collected, stored and handled appropriately.
Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection legislation.
The following have key areas of responsibility:
- The Board of Trustees is ultimately responsible for ensuring that Good Things Foundation meets its legal obligations;
The Director of Finance is responsible for:
- Keeping the Board updated about data protection responsibilities, risks and issues.
- Reviewing all data protection procedures and related policies, in line with an agreed schedule.
- Arranging data protection training and advice for the people covered by this policy.
- Handling data protection questions from staff and anyone else covered by this policy.
- Dealing with requests from individuals to see the data Good Things Foundation holds about them (also called 'subject access requests').
- Checking and approving any contracts or agreements with third parties that may handle the company's sensitive data;
The Head of Digital is responsible for:
- Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
- Performing regular checks and scans to ensure security hardware and software is functioning properly.
- Evaluating any third-party services the company is considering using to store or process data. For instance, cloud computing services
The Head of Marketing is responsible for:
- Approving any data protection statements attached to communications such as emails and letters.
- Addressing any data protection queries from journalists or media outlets like newspapers.
- Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles.
What data do we collect
We collect data about individuals to identify them personally within our systems. As a minimum this will be chosen name and a further identifier, which could be email address, home address or telephone number.
Our open learning platform Learn My Way automatically collects data about the online learning activity carried out by individuals. Other software such as our CaptureIT system is used by tutors across our network to record learning activity not carried out on Learn My Way.
Data collected about individuals which is not regarded as sensitive under the DPA is stored directly against an individual alongside records of their learning, which includes information about their online learning activity on Learn My Way, interactions with the site, and any external learning activity that tutors have entered into the system through tools such as CaptureIT.
We only ever collect and store minimal data against an individual that either:
- Is used to contact that individual in their preferred way.
- Is required to make our systems work.
- Is explicitly contractually required as part of a funding agreement.
- Helps us to understand and refine the user experience.
Additional data for special projects
Sometimes we are contractually required to collect or assist clients with sensitive personal information about an individual - in other words, information that pertains to:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- membership of a trade union
- physical or mental health conditions
- sexual life
- any committed or alleged offences
- genetic data
- biometric data
- other information deemed sensitive (e.g. tax information).
Any information in these categories must be specified in the contract, and we will provide a clear reason given as to why the data is required to be collected, and will require explicit consent in order to collect and process such data.
When collecting sensitive information we will only store this information at the level against which we need to analyse the data. This could be against a single organisation or an entire network, but unless specified as absolutely necessary as part of a particular funding contract we will not store sensitive information against an individual; any such data we are required to store will only ever be collected through clearly-specified contractually agreed fields, minimising free text.
If there is a requirement for storing this kind of information against an individual, this will always carry a substantial additional cost which will need to be met in full by the partner/funder, to cover the cost of putting in place suitable data protection systems and processes. Beyond this, if a partner/funder wishes to move beyond this and include additional requirements for data protection, we will discuss the additional requirement(s) and decide whether to proceed. If we decide to proceed, the additional requirement(s) will be set out clearly in the contract/partnership agreement with the partner, and will be fully funded by the partner. Any data stored under such an agreement with either be deleted or anonymised at the end of the contract.
Where there are free text fields in the system that are stored against an individual (for example when adding external learning activity using CaptureIT), we provide guidance to those filling in the forms to minimise the chance that they enter sensitive information into these fields. For those who we assist with digital services, we encourage the service providers to collect feedback from all users in a manner which centres can assist with, rather than us creating a set of duplicate information. As those who need significant help become more confident, a service provider can continue to receive their feedback.
We don't ask individuals to prove their identify using formal documentation. If this is a specific requirement of the funder, we will do it in explicitly contracted exceptional cases - for example, to set up an individual with the Government's Unique Learner Number identifier. This work is an explicitly charged item.
What we ask of our community partners
We ask our community partners to comply with the latest data protection legislation, including the GDPR and the DPA, and any other relevant legislation Beyond this, however, we don't require any specific data protection systems and processes to be in place.
As set out in the section above, if a funder has a specific requirement to ensure particular data protection systems and processes are in place, this will always carry a substantial additional cost which will be met in full by the partner/funder - as will any requirement to assure our partners' legal or other compliance.
Where community partners support beneficiaries to use Learn My Way, or where beneficiaries use it independently, Good Things Foundation remains responsible for the data that is collected and stored by the system.
For project partners, we provide guidance on the provision of learning to avoid the inadvertent collection of data that is highly sensitive by nature of the course of learning that someone has taken. For certain courses, storing that a person has taken that course alongside their home address could potentially lead to exploitation of vulnerable individuals (e.g. a "digital tools for financially excluded" who register with their home address vs a "digital tools for families who have financial exclusion")
Our terms and conditions of grant funding for Online Centres includes a specific section on data protection and their responsibilities to data protection during the course of their interactions with Good Things Foundation and the services we provide. However, Good Things Foundation is not directly responsible for Online Centres' own data protection policies and procedures.
Technical measures to ensure data loss prevention
We strive to protect personal data by restricting the possibility of losing data due to theft, loss of equipment, the abandonment of old computers or hard copy records being lost, stolen or incorrectly disposed of. Technical measures we implement to prevent these are:
- Ensuring high quality of doors and locks, alarms, security lighting or CCTV
- Controlling access to the premises, and how visitors are supervised
- Disposing of paper and electronic waste in accordance with waste legislation and regulations.
The latest legislation puts a proactive obligation on us to take reasonable steps to delete or correct inaccurate personal data. Personal data should be accurate, and where necessary kept up-to-date.The more important it is that the personal data is accurate, the greater the effort Good Things Foundation will put into ensuring its accuracy.
It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
- Data will be held in as few places as necessary. Staff should not create any unnecessary additional data sets.
- Data should be accurately recorded when received along with its source.
- Staff will take reasonable steps to ensure data is updated. For instance, by confirming a customer's details when they call.
- Good Things Foundation will make it easy for data subjects to update the information Good Things Foundation holds about them. For instance, via our websites and the Good Things Foundation Network Team.
- Data will be updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it should be removed from the database.
- It is the Head of Marketing's responsibility to ensure marketing databases are checked against industry suppression files every six months.
How long do we keep data for?
Good Things Foundation will not keep personal data for longer than we need it. For statistical purposes a record of activity will be retained, but all personal data will be removed after a specified period of time:
- Any data collected as part of a funded contract - 1 year after the contract we have with our funder expires, or 2 years after the last learner activity (whichever is later);
- Any data collected not as part of a funded contract - 2 years after the last learner activity in the system
Making individuals aware of how we use data
Good Things Foundation aims to ensure that individuals are aware that their data is being processed, and that they understand:
- How the data is being used;
- What the data is being used for;
- Who their data is being shared;
- How to exercise their rights under the latest data protection legislation
To these ends, we have a privacy statement, setting out how data relating to individuals is used by. This privacy statement is published on all our websites.
How can individuals access data we hold?
All individuals who have any personal data of theirs held by Good Things Foundation are entitled to submit a subject access request if they wish to:
- Ask what information we hold about them and why.
- Ask how to gain access to it.
- Be informed how to keep it up to date.
- Be informed how the company is meeting its data protection obligations.
Subject access requests should be made by email, at email@example.com. We will aim to provide the relevant data within one calendar month from the day after the subject access request was received. Where the request is manifestly unfounded or excessive, we will charge £10 per subject access request. We will always verify the identity of anyone making a subject access request before handing over any information.
Requests for removal
Should an individual request that all personal information we hold about them is removed from our systems then we will do this free of charge within 30 days or direct them to a page on our websites where they can do this.
Requests for removal of data should be made by email, at firstname.lastname@example.org
We will always verify the identity of anyone requesting removal of their personal data before deleting any information from our systems.
What is excluded from this policy
This policy is not required to cover information held for deceased individuals. However, following best practice we will abide by the same principles.
If we are the subject of a data breach, we will report any such breach to the ICO within 72 hours if legally required. You can find more detailed information about our data breach notification process here.
Any enquiries regarding data protection should be made to:
The Information Commissioner's Office (ICO) is the independent supervisory authority set up to promote and oversee compliance with Data Protection legislation in the UK. You can contact them at the Information Commissioner's Office, Wycliffe House, Water Lane, Cheshire, SK9 5AF; telephone number +44 (0)162 554 5745; or via their website at www.ico.org.uk.