Initial draft, GM
Amendments: individuals seeking help added to purposes for processing data; contact details changed to contact form [link to be added].
- “Personal data” is any information about a living individual which allows them to be identified from that information, or that information along with other information available to the individual or organisation who controls or processes their data.
- A “data subject” is taken to be any individual whose data is collected, processed or stored by the organisation.
- The policy covers data processed by the following entities:
- Triangle Technology (triangletechnology.co.uk)
- Step Search Platform (stepsearch.org)
- For the purposes of this policy, Triangle Technology Ltd is considered the “data controller” for personal data provided to either of these entities. This means we are responsible for determining what personal data is processed and for what purpose and for securely collecting, storing and processing personal data. Triangle Technology Ltd. will be referred to as “the organisation” throughout this policy.
- Triangle Technology Ltd. is committed to processing personal data responsibly, lawfully and securely in accordance with the UK Data Protection Act 2018 (“DPA 2018”) and EU Regulation 2016/679 (the General Data Protection Regulation “GDPR”).
- Data protection
We secure personal data by:
- Using appropriate policies, processes and best practice to safely manage personal data.
- Minimising the amount of personal data collected, process or store and holding this for a minimal timeframe.
- Ensuring any third-party organisations who collect or store personal data on my behalf are GDPR-compliant and committed to data protection.
- Being responsive to any requests from data subjects who wish to exercise their rights to access, rectify, limit, or erase data held on them, or who contact the organisation with any other relevant requests related to their personal data.
- Committing to deal appropriately with any unlikely breach of data security by having a plan in place that involves implementing all necessary procedures and may include notifying relevant individuals or organisational bodies.
- Categories of personal data
In the course of our core activities, Triangle Technology Ltd. may process personal data that includes, but is not limited to:
- names, titles and aliases;
- contact details such as address or postcode, email address and telephone number;
- identification data including date of birth; photograph; and identity document number,
- financial information, such as bank account details;
- additional personal information for current or future employees, contractors or volunteers within the organisation, relevant to their employment or engagement with the organisation, which may also include details for next of kin.
- Purposes of personal data
We process this data for the following purposes:
- to verify the identity of those who apply to use our platform in order to volunteer with individuals or organisations;
- to connect volunteers with individuals or organisations who require help;
- to connect individuals requiring help with appropriate volunteers or services;
- to inform, or engage with, relevant individuals or organisations interested in our services;
- to process payment for services we contract from other individuals or organisations;
- to process payments or donations we receive for our services;
- to seek views or comments from individuals engaged with our organisation;
- to manage and fulfil our obligations to any volunteers, contractors or employees of the organisation;
- to meet any relevant statutory and legal obligations.
- Principles of data protection
We ensure that personal data is processed in accordance with the eight Data Protection Principles set out by the Information Commissioner’s Office.
These state that personal data must:
- be processed fairly, lawfully and transparently;
- be collected and processed only for specified, explicit purposes;
- be adequate, relevant and limited to what is necessary for the purposes for which it is processed;
- be accurate and kept up to date;
- not be kept for longer than is necessary for the purposes for which it is processed;
- be processed in line with the data subject’s rights;
- be processed securely;
- not be transferred outside the EU without adequate protection.
- Lawful bases
- We only collect or process personal data when we have a lawful basis for doing so. The six lawful bases for processing personal data are:
- Legal obligation
- Vital interests
- Public interest
- Legitimate interests
- Much of the personal data we collect is processed on the basis of consent – meaning that a client, potential volunteer, individual seeking help or services, job applicant or other individual explicitly tells us they agree that the organisation will process some of their personal data for a specific, named purpose.
- We may also process personal data in order to create contracts or fulfil contractual obligations, or because we have a legal or statutory responsibility to do so. This most often applies to data processed to provide our services to organisations or individuals; to contract the services of others; to fulfil our financial obligations to HMRC and other entities; and to fulfil any employment, health and safety or safeguarding responsibilities we may have.
- More rarely, we may need to process personal data based on vital interests or legitimate interests. If we process data on the lawful basis of legitimate interests, we ensure that processing this data is necessary to fulfil our core functions as an organisation, and that this processing does not overly affect the interests, rights and privacy of the person whose data we are processing.
- Third parties
- Triangle Technology Ltd. may use third-party services to collect, process and store personal data; or share personal data with trusted third-party services where necessary.
- Our websites use a very limited number of cookies. These include strictly necessary cookies (those required for you to experience the full functionality of the site) and statistics cookies (those that track limited user data in order to understand the site’s visitors and improve the site and organisation).
- Opting out of cookies
- Any website user can configure their browser to stop accepting cookies from our websites, or even from all websites you visit, anytime.
- You can usually do this through the Options or Preferences menu of your web browser. If you wish to manage and disable cookies, please click the links below for instructions that vary by browser:
- Google Chrome
- Mozilla Firefox
- The rights of data subjects
- Triangle Technology Ltd. will always respect the rights of data subjects regarding personal data collected, processed or stored. Data subjects have different rights depending on the lawful basis under which we process the data.
- Right to access
Data subjects have the right to ask for a copy of the information held about them (including why we hold the information, who has access to it, and where we obtained it), which is called a “subject access request”.
- Right to erasure
Unless we hold data due to legal obligation or on the basis of public interests, data subjects have the right to request that we delete or stop processing their data.
- Right to rectification
Data subjects have the right to ask us to change incorrect or incomplete information we hold about them.
- Right to restriction of processing
Data subjects have the right to ask us to restrict the way we process their personal data.
- Right to object
Data subjects have the right to object to our use of their personal data, which effectively asks us to stop processing your information. Data subjects can’t object to data that is held or processed on the basis of contract, legal obligation or vital interests. While data subjects can’t formally object to data held or processed on the basis of consent, they can withdraw consent at any time.
- Right to portability
Data subjects have the right to ask us to receive a copy of all personal data we hold on them, and to ask us to send it in a structured, easily accessible, machine readable format, or to ask for this data to be sent directly to another data controller.
- Contacting us
Data subjects can make a subject access request or exercise any other rights regarding their personal data by getting in touch via our contact form.
As recommended by the ICO, we will process any such request within 30 days, unless we consider the request manifestly unfounded or excessive, in which case we will write to you explaining the situation and the next course of action within the 30-day limit.
- Breaches of data security
- A personal data breach means that the security of personal data is compromised. This includes accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
- In the unlikely event that a data breach occurs, Triangle Technology Ltd. will follow GDPR-compliant protocol by implementing a recovery plan, notifying the appropriate authorities and informing any relevant people or organisations.