Hertford St Andrew Community Trust Privacy Notice
1. Introduction
We, us and our when used in this notice refers to Hertford St Andrew Community Trust. You, means you the data provider and your is to be construed accordingly.
We appreciate the trust you place in us when sharing your personal data. The security of that data is very important to us. In this document, we will explain how we collect, use and protect your personal data.
We will also explain what rights you have with regards to your personal data and how you can exercise those rights.
2. Who are we?
Hertford St Andrew Community Trust (the Trust) is the data controller (contact details below). This means it is the Trust which decides how your personal data is processed and for what purposes. The Trust is a company registered in England & Wales number 7661219 the registered office of which is at St Andrew’s Church, St Andrew Street, Hertford SG14 1HZ.
3. Your personal data
Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in our possession or likely to come into our possession. The processing of personal data is governed by the General Data Protection Regulation (the GDPR).
3.1 Why do we collect personal data?
In the course of hiring out and the management of the St Andrew Centre, St Andrew Street, Hertford (the Centre) and in relation to activities and events conducted by us we collect personal information when you make direct enquiries with us, or by visiting the St Andrew’s Centre page on the website www.hertfordstandrews.co.uk and on completing a Booking Form and Agreement for hiring space at the Centre. We may also collect personal information on trustees, staff and volunteers to ensure we can meet our legal obligations.
3.2 How do we process your personal data?
We comply with our obligations under the GDPR by keeping personal data up-to-date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
We use your personal data for the following purposes: -
-
To enable the Trust to manage the Centre, including (but not limited to) the management of hirings and use
-
To make or receive payments from you;
-
To maintain Trust accounts and records;
-
To communicate with you about activities and events conducted by us;
-
To fulfill any contract we have entered into with you or the entity you represent
-
To comply with our legal obligations.
3.3 What is the legal basis for processing your personal data?
Contractual performance in the case of hire agreements and other contractual arrangements;
Your explicit consent where obtained, for the specific purposes stated in the consent form;
Processing is necessary for carrying out legal obligations in relation to Gift Aid or under employment, social security or social protection law, charity or company law or a collective agreement;
Legitimate interest in respect of any dispute or claim and communications relevant to our relationship with youWhen we process on the lawful basis of legitimate interest, we apply the following test to determine whether it is appropriate:
-
The purpose test – is there a legitimate interest behind the processing?
-
Necessity test – is the processing necessary for that purpose?
-
Balancing test – is the legitimate interest overridden, or not, by the individual’s interests, rights or freedoms?
3.4 Storage of personal data
All physical data will be held securely in a locked cabinet in a non-public location, accessible only by designated staff members of the Trust. All office computers with access to personal data will be password protected. All electronic data held on portable devices (for example laptops and USB drives) will be password protected and encrypted. All relevant staff members will be supplied with data storage equipment and encryption software to ensure data security where personal or sensitive data is stored.
3.5 Sharing your personal data
Your personal data will be treated as strictly confidential and not be shared with third parties unless the Trust is legally obliged to, or there is a risk of harm to you or another, for example, in a safeguarding situation or with professional advisers, for example, in the case of a dispute or claim.
3.6 How long do we keep your personal data?
The Trust will not hold personal data longer than necessary. There are certain legal requirements or recommendations which mean that the Trust will keep documents for a minimum period of time. External organisations may also keep information the Trust lawfully provide for periods of time determined by them. Some of these documents may contain personal data. These include, but are not limited to those set out in the schedule below.
The Trust will store archived documents securely, and maintain a register of archived documents along with their planned destruction date. The Trust will review annually these retention periods to ensure that they remain within the law and recommended practice.
3.7 Your rights and your personal data
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data: -
The right to request a copy of your personal data which the Trust holds about you;
-
The right to request that the Trust corrects any personal data if it is found to be inaccurate or out of date;
-
The right to withdraw or change your consent at any time [This will not affect any personal data that has already been processed prior to this point]
-
The right to request your personal data is erased where it is no longer necessary for the Trust to retain such data [Subject to a legal requirement to retain or where erasure is impracticable];
-
The right to request that the data controller provide the data subject with his/her personal data and, where possible, to transmit that data directly to another data controller (known as the right to data portability) where requested.
-
The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request that a restriction is placed on further processing;
-
The right to object (where applicable) to:
-
Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
-
Direct marketing (including profiling); and
-
Processing for purposes of scientific/historical research and statistics.
-
The right to lodge a complaint with the Information Commissioners Office.
3.8. Further processing
If we wish to use your personal data for a new purpose, not covered by this Data Privacy Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
4. Contact Details
To exercise all relevant rights, queries or complaints, please in the first instance contact the Bookings Secretary, St Andrew’s Church, St Andrew Street, Hertford SG14 1HZ standrewscentre@hotmail.com
You can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
5. Retention Schedule
Data Source |
Retention Period |
Example |
Receipts and invoices |
Kept for 6 years from the end of the current financial year. |
Suppliers invoice |
Booking/hirer information (may include some personal information) |
Kept for 1 year |
Hirer agreements |
HMRC records (may contain employee personal information) |
Kept for 6 years from the end of the current financial year. |
P45, payroll information |
Trustee Meeting and AGM Minutes (may include some personal information) |
Stored electronically for an indefinite period, for reference purposes. |
Minutes from meetings. |
Trustee, employee, volunteer information (may include personal information) |
Necessary information to be retained for the duration of service. Job applications to be retained for 1 year |
Trustee declaration, ID documents, CVs and application forms |
Over 50s Table Tennis Club Members and Chair-based exercise classes (may include personal information including medical information) |
The duration of attendance to the club or classes plus 1 year |
Any relevant medical information to aid the volunteers in providing necessary care. |
Trustee information (may contain trustees’ personal information) |
May be kept by the Charity Commission and Companies House. |
Public registers. |
Financial donor and Gift Aid records (may contain donor’s personal information) |
Kept for 6 years from the end of the current financial year. |
Gift Aid declaration. |
HStACT, 18/07/2018