Data Protection Policy and Privacy Notice: Difference between revisions

From Wikimedia UK
Jump to navigation Jump to search
m (rm old header template)
 
(9 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{BoardApproved|Minutes 21Apr12|11 February 2012|type=policy|series=Staff Policies|
{{BoardApproved|Minutes 21Apr12|21 April 2012|type=policy|series=Staff Policies|
history = {{BoardApprovedHistory | Minutes 21Apr12#Wikimania_scholarships | 22 April 2012 | Initial adoption |22086}}
history = {{BoardApprovedHistory | Minutes 21Apr12#Wikimania_scholarships | 22 April 2012 | Initial adoption |22086}}
| lastid=22086
{{BoardApprovedHistory | Decisions/Data Protection Policy amendment May 2013 | 25 May 2013 | Amendment to include European Economic Area/Data Protection Act requirements |40298}}
{{BoardApprovedHistory | Data Protection Policy |  17 May 2018 | Amendment to include GDPR update - minutes to follow|40298}}
| lastid=40298
}}
}}
This policy applies to all staff, trustees and volunteers of Wikimedia UK.


===Introduction===
===Introduction===
The purpose of this policy is to enable Wikimedia UK to:
Wikimedia UK is committed to protecting and respecting your privacy and your personal information. This data protection policy sets out how and why we obtain personal information, how we use it, and what steps we take to protect it. It describes the lawful basis on which we do this and your rights in respect of your data. It tells you how to get in touch if you have any further questions.
* comply with the law in respect of the data it holds about individuals;
* follow good practice;
* protect Wikimedia UK’s clients, staff, donors, volunteers and other individuals
* protect the organisation from the consequences of a breach of its responsibilities.
 
===Brief introduction to Data Protection Act 1998===
The Data Protection Act gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly.
 
The Act works in two ways. Firstly, it states that anyone who processes personal information must comply with eight principles, which make sure that personal information is:
* Fairly and lawfully processed
* Processed for limited purposes
* Adequate, relevant and not excessive
* Accurate and up to date
* Not kept for longer than is necessary
* Processed in line with the rights of Data Subjects
* Secure
* Not transferred to other countries without adequate protection


The second area covered by the Act provides individuals with important rights, including the right to find out what personal information is held on computer and most paper records.
Our [[Website Privacy Policy|website policy]] describes what cookies we use on our website and their purpose.
===Who we are===
Wikimedia UK is a company limited by guarantee (number 6741827) and a registered charity (number [http://apps.charitycommission.gov.uk/Showcharity/RegisterOfCharities/CharityWithPartB.aspx?RegisteredCharityNumber=1144513&SubsidiaryNumber=0 1144513]). We are the UK chapter of the global Wikipedia movement. This policy relates to information which is obtained by Wikimedia UK and which Wikimedia UK uses.


===Policy statement===
===What we do===
[[File:ICO registration certificate.PDF|thumb|right|Wikimedia UK's DPA certificate]]
[[File:ICO registration certificate.PDF|thumb|right|Wikimedia UK's DPA certificate]]
Wikimedia UK will:
Wikimedia UK works in partnership with organisations from the cultural and education sectors and beyond in order to unlock content, remove barriers to knowledge, develop new ways of engaging with the public and to enable learners to benefit fully from the educational potential of the Wikimedia projects.
* comply with both the law and good practice
* respect individuals’ rights
* be open and honest with individuals whose data is held
* provide training and support for staff and volunteers who handle personal data, so that they can act confidently and consistently
 
Wikimedia UK recognises that its first priority under the Data Protection Act is to avoid causing harm to individuals. Information about staff, volunteers and clients will be used fairly, securely and not disclosed to any person unlawfully.
 
Secondly, the Act aims to ensure that the legitimate concerns of individuals about the ways in which their data may be used are taken into account. In addition to being open and transparent, Wikimedia UK will seek to give individuals as much choice as is possible and reasonable over what data is held and how it is used.
Wikimedia UK has registered with the Information Commissioner's Office under the Data Protection Act.
 
===Definitions===
The Data Subject is the individual whose personal data is being processed. Examples include:
* employees – current and past
* volunteers
* job applicants
* donors
* users
* suppliers.
 
Processing means the use made of personal data including:
* obtaining and retrieving
* holding and storing
* making available within or outside the organisation
* printing, sorting, matching, comparing, destroying.
 
The ''Data Controller'' is the legal 'person', or organisation, that decides why and how personal data is to be processed. The data controller is responsible for complying with the Data Protection Act.
 
The ''Data Processor'' - the data controller may get another organisation to be their data processor, in other words to process the data on their behalf. Data processors are not subject to the Data Protection Act. The responsibility of what is processed and how remains with the data controller. There should be a written contract with the data processor who must have appropriate security.
 
The ''Data Protection Officer'' is the name given to the person in organisations who is the central point of contact for all data compliance issues.
 
===Responsibilities===
The Board of Trustees recognises its overall responsibility for ensuring that Wikimedia UK complies with its legal obligations.
 
The Data Protection Officer is currently Jon Davies, who has the following responsibilities:
* Briefing the board on Data Protection responsibilities
* Reviewing Data Protection and related policies
* Advising other staff on Data Protection issues
* Ensuring that Data Protection induction and training takes place
* Handling subject access requests
* Approving unusual or controversial disclosures of personal data
* Ensuring contracts with Data Processors have appropriate data protection clauses
* Electronic security
* Approving data protection-related statements on publicity materials and letters
 
Each member of staff, trustee and volunteer at Wikimedia UK who handles personal data will comply with the organisation's operational procedures for handling personal data (including induction and training) to ensure that good Data Protection practice is established and followed.
 
All staff and volunteers are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work.
 
Significant breaches of this policy will be handled under Wikimedia UK's disciplinary procedures.
 
Because confidentiality applies to a much wider range of information than Data Protection, Wikimedia UK has a separate Confidentiality Policy. This Data Protection Policy should be read in conjunction with Wikimedia UK’s Confidentiality Policy.
 
Wikimedia UK has a privacy statement for clients, setting out how their information will be used. This is available on request, and a version of this statement will also be used on the Wikimedia UK web site. (See Appendix)
 
Staff, volunteers and sessional workers are required to sign a short statement indicating that they have been made aware of their confidentiality responsibilities. (See Confidentiality Policy and Statement.)
 
In order to provide some services, Wikimedia UK may need to share client’s personal data with other agencies (Third Parties). Verbal or written agreement will always be sought from the client before data is shared.
 
Where anyone within Wikimedia UK feels that it would be appropriate to disclose information in a way contrary to the confidentiality policy, or where an official disclosure request is received, this will only be done after discussions with the CE or the Data Protection Officer. All such disclosures will be documented.
 
===Security===
 
This section of the policy only addresses security issues relating to personal data. It does not cover security of the building, business continuity or any other aspect of security.
 
Any recorded information on clients, volunteers and staff will be:
* Kept in locked cabinets
* Protected by the use of passwords if kept on computer
* Destroyed confidentially if it is no longer needed
 
Access to information on the main database is controlled by a password and only those needing access are given the password. Staff and volunteers should be careful about information that is displayed on their computer screen and make efforts to ensure that no unauthorised person can view the data when it is on display.
 
Notes regarding personal data of clients should be shredded or destroyed.
 
===Data Recording and storage===
 
Wikimedia UK has a single database holding basic information about all donors. The back-ups are kept securely.
 
Wikimedia UK will regularly review its procedures for ensuring that its records remain accurate and consistent and, in particular:
* The database system is reviewed and re-designed, where necessary, to encourage and facilitate the entry of accurate data.
* Data on any individual will be held in as few places as necessary, and all staff and volunteers will be discouraged from establishing unnecessary additional data sets.
* Effective procedures are in place so that all relevant systems are updated when information about any individual changes.
* Staff and volunteers who keep more detailed information about individuals will be given additional guidance on accuracy in record keeping.
* Data will be corrected if shown to be inaccurate


Wikimedia UK stores archived paper records of clients and volunteers securely in the office.  
We support the development of open knowledge in the UK, by increasing understanding and recognition of the value of open knowledge and advocating for change at an organisational, sectoral and public policy level. Our members and supporters help us do this by:
* Fundraising and donating money, services or gifts-in-kind
* Campaigning for change and engaging in public debate
* Participating in voluntary activities such as editathons.


===Access to data===
===What personal data we collect===
'''Membership data''': this is information you give us when you join Wikimedia UK. This will include your name, address, email, telephone numbers, date of birth, and country of residence. This may also include bank details, data regarding participation in events, contributions to Wikimedia websites, membership of or affiliation to other organisations (for example, a university) and data from third party sources such as social media.


All donors, members of staff. trustees and volunteers have the right to request access to all information stored about them. Any subject access requests will be handled by the Data Protection Officer within the required time limit.
We keep this information while you are a member and for a period of three years after the date on which your membership ceases.


Subject access requests must be in writing. All staff and volunteers are required to pass on anything which might be a subject access request to the Data Protection Officer without delay.  
'''Supporter data''': this is information you give us when you donate time, money, services or goods to Wikimedia UK. This may include your name, aliases, address, email, telephone numbers, date of birth, bank details and country of residence. This may also include data regarding participation in events, contributions to Wikimedia websites, membership of or affiliation to other organisations (for example, a university). This information may come to us directly from you, or indirectly from third party sources such as social media or when, for example, you purchase goods or services through a third party site.


All those making a subject access request will be asked to identify any other individuals who may also hold information about them, so that this data can be retrieved.
We keep this information for a period of three years from your most recent interaction with us, unless you give consent for us to hold it for longer or unless otherwise required by law.  


Where the individual making a subject access request is not personally known to the Data Protection Officer their identity will be verified before handing over any information.
'''Volunteer data''': this is information you give us when you participate in Wikimedia or partner organisations events or activities. This may include your name, aliases, address, email, telephone numbers, date of birth, bank details and country of residence. This may also include data regarding participation in events, contributions to Wikimedia websites, membership of or affiliation to other organisations (for example, a university). This information may come to us directly from you, or indirectly from third party sources such as social media or when, for example, you purchase goods or services through a third party site.  


The required information will be provided in permanent form unless the applicant makes a specific request to be given supervised access in person.
We keep this information for a period of three years from your most recent interaction with us, unless you give consent for us to hold it indefinitely.  


Wikimedia UK will provide details of information to service users who request it unless the information may cause harm to another person.  
'''Contractor data''': this is information you give us when you enter into a contractual relationship with us, whether as a member of staff, a supplier or in some other capacity. This data may include your name, national insurance, pension and tax details, bank details and the amount(s) you have paid to or been paid by Wikimedia UK. This may also include your address, email, telephone numbers, date of birth, and country of residence. This may also include data regarding participation in events, contributions to Wikimedia websites, membership of or affiliation to other organisations (for example, a university) and data from third party sources such as social media.  


Staff have the right to access their file to ensure that information is being used fairly. If information held is inaccurate, the individual must notify the Chief Executive so that this can be amended and recorded on file.  
We keep this information for a period of seven years from your most recent interaction with us, unless otherwise required by law.  


===Transparency ===
'''Cookies''': We collect information about your interactions with our website using cookies. We might also obtain your personal data through your use of social media such as Facebook, Twitter or LinkedIn. To change your settings on these services, please refer to their privacy notices, which will tell you how to do this. Our use of cookies is covered by a separate policy [[Website Privacy Policy|here]].
===How we use personal data===
We hold and process personal data of members, supporters, volunteers and contractors. We use it as follows:


Wikimedia UK is committed to ensuring that in principle Data Subjects are aware that their data is being processed and
'''Members''': We use this data in order to fulfil our commitments as a membership organisation, to ensure the proper conduct of the organisation and to meet our obligations under our Articles of Association and as required by law.
* for what purpose it is being processed;
* what types of disclosure are likely; and
* how to exercise their rights in relation to the data.


Data Subjects will generally be informed in the following ways:
'''Supporters''': We recognise that supporters have a legitimate interest in how we use their donations and that this interest persists after a donation is made. We use this data to keep a record of donations made and actions taken by our supporters, to keep supporters informed of our activities and how their donations are being used, and to solicit further support, both financial and in kind. We also use the data to record and monitor how we communicate with supporters.
* Staff: in the staff terms and conditions
* Volunteers: in the volunteer welcome/support pack
* Clients: when they request (on paper, on line or by phone) services
* Donors: as part of the process of making donations


Standard statements will be provided to staff for use on forms where data is collected.
'''Volunteers''': We recognise that volunteers have an ongoing and legitimate interest in our activities and that this interest persists after a contribution is made. We use this data to keep a record of donations made and actions taken by our volunteers and our communications with them, to keep volunteers informed of our activities and how their donations are being used, and to solicit further support, both financial and in kind. We also use the data to record and monitor how we communicate with volunteers.


Whenever data is collected, the number of mandatory fields will be kept to a minimum and Data Subjects will be informed which fields are mandatory and why.
'''Contractors''': We use contractor data for the proper administration of our contracts, to comply with existing legislation, and in the course of our normal business.


===Consent===
This means that the lawful basis for us processing your personal information described above will be one or more of the following:
* because it is necessary to fulfil a contract that we have in place with you; or
* because the processing is necessary for compliance with our legal obligations; or
* because we have a legitimate business interests or
* because we have your consent to keep and use the data
Where we are made aware that there is no lawful basis for keeping personal data, we will delete it.


Consent will normally not be sought for most processing of information about staff. Although staff details will only be disclosed for purposes unrelated to their work for Wikimedia UK (e.g. financial references) with their consent.
Wikimedia UK will not, under any circumstances, share or sell your personal data with any third party for their own marketing purposes, and you will not receive marketing from any other companies, charities or other organisations as a result of giving your personal data to us.


Information about volunteers will be made public according to their role, and consent will be sought for (a) the means of contact they prefer to be made public, and (b) any publication of information which is not essential for their role.
===How we govern the use of personal data===


Information about clients will only be made public with their consent. (This includes photographs.)
The Board of Trustees recognises its overall responsibility for ensuring that Wikimedia UK complies with its legal obligations. It reviews data systems and procedures annually to ensure compliance with the law and good practice. Day to day responsibility for data management is delegated to the CEO, who has the following responsibilities:
# advising the Board on data protection and related policies
# ensuring data security
# approving data protection-related statements on publicity materials and letters
# ensuring that staff have appropriate training in data protection and
# receiving and responding appropriately to data inquiries
All staff and volunteers are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work. Each member of staff, trustee and volunteer at Wikimedia UK who handles personal data will comply with the organisation's operational procedures.  


‘Sensitive’ data about clients (including health information) will be held only with the knowledge and consent of the individual.
Wikimedia UK has registered with the Information Commissioner's Office under the Data Protection Act. Our registration number is Z3098483.


Consent should be given in writing, although for some services it is not always practicable to do so. In these cases verbal consent will always be sought to the storing and processing of data. In all cases it will be documented on the database that consent has been given.  
Because confidentiality applies to a much wider range of information than GDPR, Wikimedia UK has a separate [[Confidentiality Policy]]. In the event of any conflict, this Data Protection Policy takes precedence.


All Data Subjects will be given the opportunity to opt out of their data being used in particular ways, such as the right to opt out of direct marketing (see below).
===How we store personal data===


Wikimedia UK acknowledges that, once given, consent can be withdrawn, but not retrospectively. There may be occasions where Wikimedia UK has no choice but to retain data for a certain length of time, even though consent for using it has been withdrawn.
Wikimedia UK has an electronic database holding information about all members, supporters, volunteers and contractors. We also hold physical records which includes attendance records, correspondence, emails and minutes of proceedings at events or meetings.
* Paper records will be stored in locked cabinets
* Electronic records will be stored on computers protected with alphanumeric passwords
* Electronic backups are kept securely, in line with industry standards.
Only authorised personnel for whom access to the data is necessary for the performance of their duties will have access to it.  


===Direct marketing===
Personal Data relating to any electronic interactions with Wikimedia UK will be held on a computer within the European Economic Area, as required by our ICO registration.


Wikimedia UK will treat the following unsolicited direct communication with individuals as marketing:
===Accessing and changing your data===
* seeking donations and other financial support;
* promoting any Wikimedia UK services or promotional goods;
* promoting Wikimedia UK events;
* promoting membership to supporters;
* promoting sponsored events and other fundraising exercises;
* marketing on behalf of any other external company or voluntary organisation.


Whenever data is first collected which might be used for any marketing purpose, this purpose will be made clear, and the Data Subject will be given a clear opt out. If it is not possible to give a range of options, any opt-out which is exercised will apply to all Wikimedia UK marketing. Wikimedia UK does not have a policy of sharing lists, obtaining external lists or carrying out joint or reciprocal mailings.
Everyone has the right to know what data we hold, to confirm that it is accurate and, in the absence of any lawful grounds for us keeping the data, to ask that it be deleted. We will respond to any requests to change or delete data within 30 days.


Wikimedia UK will only carry out telephone marketing where consent has been given in advance, or the number being called has been checked against the Telephone Preference Service.
If you would like more information, or have any questions about this policy, or to access, change or request deletion of your data, please write to: '''yourdata@wikimedia.org.uk'''


Whenever e-mail addresses are collected, any future use for marketing will be identified, and the provision of the address made optional.
We may need to ask you to provide:
* proof of your identity
* proof of your home address
* any information that we reasonably need to locate the information you have requested
Requested data will be provided in electronic format at no charge.


===Staff training and acceptance of responsibilities===
To make a formal complaint about Wikimedia UK's approach to data protection or raise privacy concerns directly with our data protection team, please contact:


All staff who have access to any kind of personal data will be given copies of all relevant policies and procedures during their induction process, including the Data Protection policy, Confidentiality policy and the operational procedures for handling personal data. All staff will be expected to adhere to all these policies and procedures.
The Data Protection Officer


Data Protection will be included in the induction training for all volunteers.
Wikimedia UK


Wikimedia UK will provide opportunities for staff to explore Data Protection issues through training, team meetings, and supervisions.
5-11 Lavington Street


===Appendix: Privacy statement===
London


When you request information from Wikimedia UK, sign up to any of our services or buy things from us, Wikimedia UK obtains information about you. This statement explains how we look after that information and what we do with it.
SE1 0NZ


We have a legal duty under the Data Protection Act to prevent your information falling into the wrong hands. We must also ensure that the data we hold is accurate, adequate, relevant and not excessive.
You also have the right to make a complaint direct to the UK's data protection authority, the Information Commissioner's Office (ICO). The ICO can be contacted [https://ico.org.uk/global/contact-us here].


Normally the only information we hold comes directly from you. Whenever we collect information from you, we will make it clear which information is required in order to provide you with the information, service or goods you need. You do not have to provide us with any additional information unless you choose to. We store your information securely on our computer system, we restrict access to those who have a need to know, and we train our staff and volunteers in handling the information securely.
Concerns can be also be logged via the ICO website.


If you have signed up to an event or other service we will also pass your details to the staff and volunteers providing that service. They may hold additional information about your participation in these activities.
=== Transparency ===
Wikimedia UK is committed to ensuring that members and supporters are aware:
# that their data is being processed
# to what purpose it is being processed
# what types of disclosure are likely, and
# how to exercise their rights in relation to the data.
Those on whom Wikimedia UK holds data will be informed in the following ways:
# '''Members''': as part of the process of joining or of renewing membership
# '''Supporters''': as part of the process of making donations and through the website
# '''Volunteers''': in the volunteer welcome/support pack, at events and through the website
Contractors: through correspondence and, in the case of staff, through the [[Staff Handbook]].


We would also like to contact you in future to tell you about other services and events we provide, to keep you informed of what we are doing and ways in which you might like to support Wikimedia UK. You have the right to ask us not to contact you in this way. We will always aim to provide a clear method for you to opt out. You can also contact us directly at any time to tell us not to send you any future marketing material.
=== Changes ===
This Privacy Policy may be updated from time to time so you may wish to check it each time you submit personal information to Wikimedia UK. The date of the most recent revisions will appear on this page. If you do not agree to these changes, please do not continue to use the Wikimedia UK website to submit personal information to Wikimedia UK. If material changes are made to the Privacy Policy we will notify you by placing a prominent notice on the website.


You have the right to a copy of all the information we hold about you (apart from a very few things which we may be obliged to withhold because they concern other people as well as you). To obtain a copy, either ask for an application form to be sent to you, or write to the Data Protection Officer at Wikimedia UK. There is a charge of £10 for a copy of your data (as permitted by law). We aim to reply as promptly as we can and, in any case, within the legal maximum of 40 days.
== References ==
{{Reflist}}


[[Category:Staff policies]]
[[Category:Staff policies]]

Latest revision as of 15:37, 3 February 2020

This policy was approved by the Board on 21 April 2012. It is part of a series of Staff Policies. (approved revision, subsequent changes)
Changes to this policy are subject to board approval, and should be proposed either on the talk page or the Engine room
Approval history:

22 April 2012 - Initial adoption (approved revision)

25 May 2013 - Amendment to include European Economic Area/Data Protection Act requirements (approved revision)

17 May 2018 - Amendment to include GDPR update - minutes to follow (approved revision)

Introduction

Wikimedia UK is committed to protecting and respecting your privacy and your personal information. This data protection policy sets out how and why we obtain personal information, how we use it, and what steps we take to protect it. It describes the lawful basis on which we do this and your rights in respect of your data. It tells you how to get in touch if you have any further questions.

Our website policy describes what cookies we use on our website and their purpose.

Who we are

Wikimedia UK is a company limited by guarantee (number 6741827) and a registered charity (number 1144513). We are the UK chapter of the global Wikipedia movement. This policy relates to information which is obtained by Wikimedia UK and which Wikimedia UK uses.

What we do

Wikimedia UK's DPA certificate

Wikimedia UK works in partnership with organisations from the cultural and education sectors and beyond in order to unlock content, remove barriers to knowledge, develop new ways of engaging with the public and to enable learners to benefit fully from the educational potential of the Wikimedia projects.

We support the development of open knowledge in the UK, by increasing understanding and recognition of the value of open knowledge and advocating for change at an organisational, sectoral and public policy level. Our members and supporters help us do this by:

  • Fundraising and donating money, services or gifts-in-kind
  • Campaigning for change and engaging in public debate
  • Participating in voluntary activities such as editathons.

What personal data we collect

Membership data: this is information you give us when you join Wikimedia UK. This will include your name, address, email, telephone numbers, date of birth, and country of residence. This may also include bank details, data regarding participation in events, contributions to Wikimedia websites, membership of or affiliation to other organisations (for example, a university) and data from third party sources such as social media.

We keep this information while you are a member and for a period of three years after the date on which your membership ceases.

Supporter data: this is information you give us when you donate time, money, services or goods to Wikimedia UK. This may include your name, aliases, address, email, telephone numbers, date of birth, bank details and country of residence. This may also include data regarding participation in events, contributions to Wikimedia websites, membership of or affiliation to other organisations (for example, a university). This information may come to us directly from you, or indirectly from third party sources such as social media or when, for example, you purchase goods or services through a third party site.

We keep this information for a period of three years from your most recent interaction with us, unless you give consent for us to hold it for longer or unless otherwise required by law.

Volunteer data: this is information you give us when you participate in Wikimedia or partner organisations events or activities. This may include your name, aliases, address, email, telephone numbers, date of birth, bank details and country of residence. This may also include data regarding participation in events, contributions to Wikimedia websites, membership of or affiliation to other organisations (for example, a university). This information may come to us directly from you, or indirectly from third party sources such as social media or when, for example, you purchase goods or services through a third party site.

We keep this information for a period of three years from your most recent interaction with us, unless you give consent for us to hold it indefinitely.

Contractor data: this is information you give us when you enter into a contractual relationship with us, whether as a member of staff, a supplier or in some other capacity. This data may include your name, national insurance, pension and tax details, bank details and the amount(s) you have paid to or been paid by Wikimedia UK. This may also include your address, email, telephone numbers, date of birth, and country of residence. This may also include data regarding participation in events, contributions to Wikimedia websites, membership of or affiliation to other organisations (for example, a university) and data from third party sources such as social media.

We keep this information for a period of seven years from your most recent interaction with us, unless otherwise required by law.

Cookies: We collect information about your interactions with our website using cookies. We might also obtain your personal data through your use of social media such as Facebook, Twitter or LinkedIn. To change your settings on these services, please refer to their privacy notices, which will tell you how to do this. Our use of cookies is covered by a separate policy here.

How we use personal data

We hold and process personal data of members, supporters, volunteers and contractors. We use it as follows:

Members: We use this data in order to fulfil our commitments as a membership organisation, to ensure the proper conduct of the organisation and to meet our obligations under our Articles of Association and as required by law.

Supporters: We recognise that supporters have a legitimate interest in how we use their donations and that this interest persists after a donation is made. We use this data to keep a record of donations made and actions taken by our supporters, to keep supporters informed of our activities and how their donations are being used, and to solicit further support, both financial and in kind. We also use the data to record and monitor how we communicate with supporters.

Volunteers: We recognise that volunteers have an ongoing and legitimate interest in our activities and that this interest persists after a contribution is made. We use this data to keep a record of donations made and actions taken by our volunteers and our communications with them, to keep volunteers informed of our activities and how their donations are being used, and to solicit further support, both financial and in kind. We also use the data to record and monitor how we communicate with volunteers.

Contractors: We use contractor data for the proper administration of our contracts, to comply with existing legislation, and in the course of our normal business.

This means that the lawful basis for us processing your personal information described above will be one or more of the following:

  • because it is necessary to fulfil a contract that we have in place with you; or
  • because the processing is necessary for compliance with our legal obligations; or
  • because we have a legitimate business interests or
  • because we have your consent to keep and use the data

Where we are made aware that there is no lawful basis for keeping personal data, we will delete it.

Wikimedia UK will not, under any circumstances, share or sell your personal data with any third party for their own marketing purposes, and you will not receive marketing from any other companies, charities or other organisations as a result of giving your personal data to us.

How we govern the use of personal data

The Board of Trustees recognises its overall responsibility for ensuring that Wikimedia UK complies with its legal obligations. It reviews data systems and procedures annually to ensure compliance with the law and good practice. Day to day responsibility for data management is delegated to the CEO, who has the following responsibilities:

  1. advising the Board on data protection and related policies
  2. ensuring data security
  3. approving data protection-related statements on publicity materials and letters
  4. ensuring that staff have appropriate training in data protection and
  5. receiving and responding appropriately to data inquiries

All staff and volunteers are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work. Each member of staff, trustee and volunteer at Wikimedia UK who handles personal data will comply with the organisation's operational procedures.

Wikimedia UK has registered with the Information Commissioner's Office under the Data Protection Act. Our registration number is Z3098483.

Because confidentiality applies to a much wider range of information than GDPR, Wikimedia UK has a separate Confidentiality Policy. In the event of any conflict, this Data Protection Policy takes precedence.

How we store personal data

Wikimedia UK has an electronic database holding information about all members, supporters, volunteers and contractors. We also hold physical records which includes attendance records, correspondence, emails and minutes of proceedings at events or meetings.

  • Paper records will be stored in locked cabinets
  • Electronic records will be stored on computers protected with alphanumeric passwords
  • Electronic backups are kept securely, in line with industry standards.

Only authorised personnel for whom access to the data is necessary for the performance of their duties will have access to it.

Personal Data relating to any electronic interactions with Wikimedia UK will be held on a computer within the European Economic Area, as required by our ICO registration.

Accessing and changing your data

Everyone has the right to know what data we hold, to confirm that it is accurate and, in the absence of any lawful grounds for us keeping the data, to ask that it be deleted. We will respond to any requests to change or delete data within 30 days.

If you would like more information, or have any questions about this policy, or to access, change or request deletion of your data, please write to: yourdata@wikimedia.org.uk

We may need to ask you to provide:

  • proof of your identity
  • proof of your home address
  • any information that we reasonably need to locate the information you have requested

Requested data will be provided in electronic format at no charge.

To make a formal complaint about Wikimedia UK's approach to data protection or raise privacy concerns directly with our data protection team, please contact:

The Data Protection Officer

Wikimedia UK

5-11 Lavington Street

London

SE1 0NZ

You also have the right to make a complaint direct to the UK's data protection authority, the Information Commissioner's Office (ICO). The ICO can be contacted here.

Concerns can be also be logged via the ICO website.

Transparency

Wikimedia UK is committed to ensuring that members and supporters are aware:

  1. that their data is being processed
  2. to what purpose it is being processed
  3. what types of disclosure are likely, and
  4. how to exercise their rights in relation to the data.

Those on whom Wikimedia UK holds data will be informed in the following ways:

  1. Members: as part of the process of joining or of renewing membership
  2. Supporters: as part of the process of making donations and through the website
  3. Volunteers: in the volunteer welcome/support pack, at events and through the website

Contractors: through correspondence and, in the case of staff, through the Staff Handbook.

Changes

This Privacy Policy may be updated from time to time so you may wish to check it each time you submit personal information to Wikimedia UK. The date of the most recent revisions will appear on this page. If you do not agree to these changes, please do not continue to use the Wikimedia UK website to submit personal information to Wikimedia UK. If material changes are made to the Privacy Policy we will notify you by placing a prominent notice on the website.

References

Retrieved from "https://dev.wikimedia.org.uk/w/index.php?title=Data_Protection_Policy_and_Privacy_Notice&oldid=81882"