At Visionary, we take your right to privacy very seriously. We want to make sure you are aware what personal data we collect, the steps we take to protect your personal data and explain how we may use it. Please take the time to read this Privacy Notice carefully. If you do not understand something mentioned in this notice or need more clarification, please contact Visionary by emailing firstname.lastname@example.org and we will be happy to explain.
1. About Us
- In this Privacy Notice, references to “we”, “us” or “our” are to “Visionary”. “Visionary” is the operating name of Visionary – linking local sight loss charities Limited, Registered Charity No. 1135360 (England & Wales) and SC044163 (Scotland). A Company Limited by Guarantee No. 07185372. Registered Office: Pocklington Hub, Entrance D, Tavistock House South, Tavistock Square, London WC1H 9LG.
- We are the “controller” for any personal data processed as set out in this Privacy Notice.
- Our data protection practices are regulated by a supervisory authority. The UK Supervisory Authority under the General Data Protection Regulation (“GDPR”) is the Information Commissioner’s Office (“ICO”). As a UK-based charity processing the personal data of individuals based in the UK, our supervisory authority is the ICO.
2 Visionary Membership
- This Privacy Notice applies to your membership with Visionary including the benefits you receive as part of your membership and the consequential processes of being a new or existing member.
- Trusted suppliers or partner organisations who provide services or support to Visionary members may also gather information and will have their own Data Protection Policies and Privacy Notices. They are not covered by Visionary’s Privacy Notice and you should refer to the other parties’ Privacy Policies as applicable.
3. Collection of Information
- When you apply for or renew membership to Visionary; access any area of http://visionary.org.uk; access any member benefits; attend events organised by Visionary; receive support from Visionary staff whether in person, over the phone or by email; respond to communications from Visionary’s Member Engagement team; participate in surveys; request support from our helpline or central email; or cancel your membership; we may collect, store and use your personal information in line with this notice.
- When you apply for or renew membership, we ask for personal information relating to the applicant. The applicant is usually the organisation’s “leader” and must be someone who has the authority to make such an arrangement between their organisation and Visionary. Upon application, we ask for the applicant’s first name, surname, job title or position within their organisation, contact number, email address preferred communication and a signature is required to enter into the membership agreement. This is the minimum amount of information we need to be able to provide the benefits of membership and fulfil our part of the membership agreement in a way that is accessible to the applicant.
- For individuals booking onto events organised by Visionary we ask for the attendee’s first name, surname, contact number, email address, accessibility requirements and dietary requirements. This is the minimum information necessary needed to communicate information about the event and deliver an event in a way that is safe and accessible for an attendee.
- As part of our membership benefit package, support is available from Visionary directly to other staff, volunteers and trustees within the organisation in addition to providing support and communications to the applicant or “leader” of the organisation. For that reason, we may also collect and store the information of these individuals too.
- Individuals who are part of full, national and associate members have access to various email newsletters from Visionary and can choose which communications they wish to receive. Sometimes we ask the “leader” of the organisation if they wish for their colleagues to receive these communications too. If they provide us with an individual’s information, we will contact that individual to let them know that their information has been passed on to us and what information has been provided. We will ask them to confirm that they wish to be opted into our newsletter communications.
- When an individual contacts us or receives support from a Visionary staff member, we keep a record of these interactions and the content of that interaction whether by phone, email or in person. This may contain information relating to individuals. Recording this information is important to us to be able to provide good quality, continuous support and to help us monitor our outputs and outcomes.
- When individuals attend events, we often take videos and photos. At the point of booking onto an event, you will be asked if you opt in to consenting to your image being captured. We will make this clear to you at the point of booking for each and every event. Any videos or photos may be used in Visionary’s promotional literature; on our website http://visionary.org.uk; or social media through @Visionary_UK on Twitter; or through ‚ÄòVisionary – linking local sight loss charities’ channel on YouTube. Photos or videos taken at events may also be shared with and by used Thomas Pocklington Trust as part of Visionary’s strategic alliance with the organisation. We will not associate any other personal data of yours including opinions or contact information alongside the video or photo unless you expressly consent to it. Wherever possible, we try not to make individuals identifiable through photos and videos.
4. Use of Your Information
- By signing your organisation up to become a Visionary member or by accessing Visionary member benefits as someone working for or volunteering for a Visionary member organisation, you agree that your personal information may be collected, stored, used and shared by us, our partners, or third parties we work with, for any of the following purposes:
- to be able to provide an effective, high quality service to you or your colleagues as part of our obligation to you as a Visionary member and to be able to improve our service offering;
- to provide you with a user-friendly browsing experience when using http://visionary.org.uk and to keep our website free from malicious attacks;
- to fulfil any contractual agreements between you and us;
- to ensure the safety, inclusion and convenience of attendees at events facilitated by Visionary;
- if you have paid to take part in an event, to be able to process this payment;
- if you have provided a service to us, to be able to process your request for payment and ensure timely payment;
- if you have applied for a grant from the Development and Innovation Fund, to be able to process your application; and if successful, process a grant agreement, monitor the project and process grant payment;
- if you have requested support from Visionary, submitted a complaint or query, to be able to address these and provide you with a timely and appropriate response and to learn from these experiences to improve our organisation’s offering to members;
- to send you email notifications and updates with information relevant or beneficial to your organisation or events that you have signed up to;
- to send you newsletters that you have opted in to receiving;
- to provide you with information on how to renew your membership with Visionary;
- to put you in touch with our partners or trusted suppliers at your request;
- to comply with legal and regulatory requirements such as Health and Safety incident recording for the HSE or accounting records for HMRC;
- to contact you occasionally in order to invite you to share your opinions and experiences of being a Visionary member and to develop case studies for the benefit of other members;
- to allow Visionary and Thomas Pocklington Trust to monitor and evaluate the services we provide and to support Impact and Evaluation research and reporting between Visionary and Thomas Pocklington Trust;
- to notify you of updates to our Privacy Notice;
- to process termination of your membership;
- to uphold any of your rights under GDPR or as part of an effort to protect your privacy.
5. Storage of Information
- Wherever possible, we aim to minimise the amount of data held as a hard copy by using electronic systems as the default option for most processes such as membership renewal and events booking. Where it is not possible to do this or where an individual has preferred to give us their personal data through a hard copy, we keep hard copies of personal data in a locked cabinet at Pocklington Hub, London, UK where Visionary is registered to. Only Visionary staff have access to these records.
- Where we have sought your consent, for example for us to capture your image through photos or videos, we will keep a record of this on our SalesForce database along with the time, the method of consent and what you consented to. We will also keep a record of any changes or updates to your consent. We are required to do this by law as of 25 May 2018.
- Personal information relating to membership, communication preferences, access requirements, interactions with our members and events is stored on our SalesForce database on secure SalesForce servers based within the European Economic Area (“EEA”). Only Visionary staff members have access to this database. Staff are forced by the system to change their passwords regularly and use two-factor authentication when accessing the database from a new device.
- To process member renewal, communication preferences, events bookings and surveys, we send unique links through MailChimp email client with a link to a FormAssembly. Data submitted in FormAssembly is pushed through to our SalesForce database. Once the process has ended, for example after an event has taken place, the information stored on FormAssembly is deleted and only maintained on SalesForce for the duration set out in our retention processes and procedures.
- Our website is hosted on secure servers within the EEA. As it is possible that someone could access the website from outside the UK, we do not host personal information at the front end of our website in order to minimise transfer of personal data outside the EEA. Full Visionary members have the option to be given an account to access the ‚Äòmembers’ only’ area of our website. Members are forced to set their own passwords when they log in for the first time. We do not have access to the password that individual chooses. We ask for users to keep their password secure and not to reveal it to anyone else. If it is lost or forgotten, there is the option to reset the password. Whilst we have used our best efforts to ensure the security of your data, please be aware that we cannot guarantee the security of information transmitted over the Internet.
- Occasionally we will store records such as grant contracts which may contain personal data on our shared drive. This shared drive is hosted by Thomas Pocklington Trust on a secure server within the EEA. We use a combination of password protection and folder permissions to restrict access to the folders where this information is stored, however Thomas Pocklington Trust will have access to this data in the capacity of a “processor” to facilitate secure storage or transfer or data where necessary.
- Financial information is processed by Thomas Pocklington Trust finance team on behalf of Visionary as part of our strategic alliance. We make this clear to anyone at the point of them disclosing information in relation to financial processes. Any personal information relating to finances is stored on secure servers hosted by aCloud and is not kept anywhere else.
- If at any point we become aware of a breach of data, we will risk assess the severity of the situation. If we determine that the breach is likely to result in high risk to your rights and freedoms, we will communicate the breach to you without undue delay and report the breach to the ICO as part of our legal obligation. Any data processors that we have arrangements with will be required by contract to inform us of any breaches they become aware of that relate to your personal data, as soon as they become aware.
6. Legal Basis for Processing Your Information
- Our legal basis for collecting and using the personal information described in Section 5 will depend on the personal information concerned and the specific context in which we collect it. We will collect personal information from you only (i) where we have your consent to do so, (ii) where we need the personal information to perform a contract with you (iii) where the processing is in our legitimate interests and not overridden by your rights, or (iv) where we have a legal obligation to do so.
- If you have provided a service to us, we will use your data as necessary to fulfil our contractual obligations, including to be able to process your request for payment and ensure timely payment.
- In order to provide services to individuals associated with your organisation as part of the Visionary membership you have purchased and to ensure you have access to the full range of member benefits, we will use your data as necessary to fulfil our contractual obligations, including to deliver personalised support by email, phone and in person.
- If you have opted in to receiving any of the Visionary Briefings (including Visionary Fortnightly Briefings, Visionary Special Briefings and Visionary Trustee Briefings), we will use your data to provide these communications based on your opt-in consent. You can withdraw consent at any point. You will not be eligible to receive these communications if you are not associated with an existing Visionary member.
- If you are associated with a Visionary member or are enquiring about membership, we use data about your access requirements including your preferred format in or order to provide an accessible service and meet our legal obligations under the Equality Act 2010.
- If you are attending an event facilitated by Visionary, we will use data about your dietary and access requirements to meet our legal obligations to be compliant with the Health and Safety Executive.
- If you are associated with a Visionary member organisation, we may collate personal information for example recording support interactions or survey responses, under our legitimate interests, enabling us to provide an effective and continuous service to you, improve our services in future and monitor our impact.
- If you are associated with a Visionary member organisation and then leave that organisation, we may still keep your personal information for up to three years after you have left under our legitimate interests. We wish to provide a quality membership experience which includes consideration of your remaining colleagues receiving a continuous service, particularly in the case of staff and trustee transitioning support. We always weigh the consideration of our legitimate interests against your privacy rights to ensure your rights are not overridden.
7. Disclosure of Your Information
- We may disclose your personal information to third parties if we are under a duty to disclose your information to comply with a legal obligation or to protect the safety of our property, our staff, other members or members of the public.
- Other than the third parties named in the Privacy Notice or for the reasons noted at paragraph 7.1 above, we will not disclose your personal information to any other third party unless we have obtained your consent first.
8. Data Retention
- We retain personal information we collect from you where we have an ongoing legitimate business need to do so (for example, to provide you with a service you have requested or to comply with applicable legal, tax or accounting requirements).
- When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
- In the event of a person leaving an organisation which has Visionary membership, we will delete the contact information along with access and dietary requirements for that person immediately upon being made aware of that person’s departure, or the day after their final day with that organisation if we know in advance. We will retain that person’s name, position, association with the organisation and any interactions with that person for five years to ensure continuity and quality of support to our members as our support to members includes support with staff and trustee transitioning. After five years, the information will be permanently deleted from our database.
- If an organisation ceases to become a member of Visionary and therefore terminates Visionary’s contract with that organisation to provide a membership service, we will delete any personal contact information relating to individual along with any access or dietary requirements. We will retain individuals’ names, positions, associations with the organisation and any interactions with those individuals relating to their time with the Visionary member organisation for three years. This is to aid the continuity and quality of support if an organisation wishes to resume membership with Visionary at a later date. After three years, the information will be permanently deleted from our database.
- When an organisation terminates its membership with Visionary, or in the case where Visionary has terminated the membership contract because the organisation has violated the ‚ÄòMember Expectations Policy’ any individuals associated with that organisation cease to have access to Visionary member benefits, which includes all Visionary Briefings. Anyone who has consented to receive Visionary Briefings will be removed permanently from the electronic mailing list and will no longer receive these communications.
9. Your Rights
Under the General Data Protection Regulation, you have the following data protection rights:
Right to be informed. We will strive to be transparent in how we collect and use personal data. This Privacy Notice sets out how we do that and is publicly available. We are happy to receive questions or comments about any information contained in this Notice.
Right of access. If we store your personal data, you have the right to make a subject access request. We are required by law to make this information available to you within a month, unless the request is complex or there are numerous requests. This information will be supplied to you electronically in a format that is accessible to you. This will be free of charge.
Right to rectification. If you become aware that we hold incorrect or incomplete information about you, you can contact us using the details in Section 12 to provide us with the correct information. We have a duty to keep up to date information and so we ask the lead contacts to confirm or update their information at the point of member renewal which takes place every year.
Right to erasure (otherwise known as the ‚’right to be forgotten’). If you withdraw your consent and it is our only legal basis for keeping your information, your personal information will be deleted upon your request. If we no longer have a legitimate interest for keeping your data or the reason for keeping the information at the time you provided it is no longer applicable, we will delete your information upon request. There may however be situations where it is not possible, for example where we are required to by law. In these cases we will explain to you why it is not possible to fulfil your request completely, however we will work with you to minimise any processing of that data.
Right to restrict processing. At this request, we will continue to store your data but will restrict any further processing. Decisions to restrict will be based on assessing whether legitimate grounds override individual rights or not.
Right to data portability. You have the right to request that we move your data from one IT environment to another. This would be between different organisations. Whilst we will do our best to format our information in a way that another organisation could use it without it being corrupted, we cannot guarantee that systems will be readily compatible.
Right to object. You have the right to object to any direct marketing. Visionary’s direct marketing is done through our email briefings which we seek your consent for. If you withdraw consent, we will cease this marketing immediately. You also have the right to object to processing based on legitimate interests or the performance of a task in the public interest, exercise of official authority, or for purposes of scientific/historical research and statistics. At this point we will consider the weight of the legitimate need to process data again the individual’s privacy rights.
Rights regarding automated decision making and profiling. This is not applicable as Visionary does not currently automate decision making nor carry out any profiling.
If you feel that we have not respected your privacy rights, you are entitled to make a complaint to the ICO. Further information on how to do this can be found on the ICO website: https://ico.org.uk/concerns/ However, before making a complaint direct to the ICO, we advise that you contact Visionary first to try to resolve the matter in accordance with ICO’s guidance.
We strongly believe in protecting the privacy of children. We do not knowingly collect or maintain personal information from persons under 13 years of age. Any person applying for membership of Visionary must be of 18 years or over in order to enter into such an arrangement. No part of the http://visionary.org.uk is directed to persons under 13 years of age. If you are under 13 years of age, then please do not use or access our website. We will take appropriate steps to delete any personal information of persons less than 13 years of age.
We may update or amend this Privacy Notice from time to time, to comply with law or to meet our changing business needs or reporting requirements. When we update our Privacy Notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make. At a minimum, any updates or amendments will be posted on http://visionary.org.uk and communicated through the Fortnightly Visionary Briefing.
12. Contacting Visionary
If you have any questions, comments or complaints about this Privacy Notice, please contact us using the details below:
FAO: Visionary Data Protection Compliance Lead
Entrance D, Tavistock House South
London, WC1H 9LG
This Privacy Notice was last updated on 14 March 2018.