Last updated 1 October 2018
If changes are made to this policy at any time, we’ll clearly indicate the date and nature of the change in this document.
Who we are
Where you see the words ‘we’, ‘us’, ‘our’, ‘the charity’, it refers to The Reader Organisation (‘The Reader’). The Reader is a registered charity (No. 1126806) with the Charities Commission of England and Wales (SCO43054 in Scotland), and a registered company (No. 06607389) with Companies House. Our address is The Reader, The Mansion House, Calderstones Park, Liverpool L18 3JB.
This policy is written in accordance with the General Data Protection Regulation. To update your preferences, review or update your information, submit a request, raise any issues regarding the processing of your personal data or raise any questions, comments, or concerns about the Policy, you should contact the Data Compliance Manager using one of the options below:
Written enquiries: Data Compliance Manager, The Reader, The Mansion House, Calderstones Park, Liverpool L18 3JB
Telephone: 0151 729 2200
Any concerns can also be lodged with the Information Commissioner’s Office, the independent authority set up to uphold information rights in the UK – see the ICO website for contact details.
What Personal Data Do We Collect and Process?
We collect and process various types of personal data, for the purposes described below, including:
- Email address
- Home address
- Phone number
- Biographical information (e.g. year of birth, educational background)
- Employment and employer details
- Photographic/media recordings (including CCTV at our Calderstones site)
- Financial information
- IP addresses
- Pages accessed on any of The Reader’s websites
We may also collect and process special categories of personal data (previously known as ‘sensitive personal data’). Special categories data may include:
- Racial or ethnic origin
- Religious or philosophical beliefs
- Sexual orientation
- Health information
We collect and process this data in relation to our monitoring, evaluation and research processes, for example when conducting evaluation of participants of our Shared Reading groups or other delivered activities. This data is typically provided to us by the individuals themselves; however in some circumstances it may be provided by a third party (e.g. a carer or supervisory staff member in a health or justice setting).
Why Do We Collect and Process Personal Data?
We collect and process personal data for the following purposes:
- To administer our websites;
- To process bookings and purchases;
- To monitor, evaluate and report on the reach and impact of our activities;
- To respond to any communications, queries or requests for information or services from you;
- To keep supporters, volunteers and group members informed of our work;
- For employee and human resources management purposes (as may be required by applicable laws);
- To receive and process financial donations;
- For auditing purposes (as may be required by applicable laws);
- To comply with our legal or regulatory obligations; and
- To establish, exercise or defend legal claims.
The Reader’s legal basis to process personal data includes processing that is:
- Necessary for our legitimate interests (for example, to administer our websites, to manage our relationship with you, to provide support for volunteers);
- Necessary in the performance of a contract (for example, to process and manage a magazine subscription or Storybarn booking)
- Necessary in the performance of a public task (for example, to safeguard our beneficiaries or perform functions supporting individuals’ data rights)
- Necessary to comply with legal requirements (for example, to comply with applicable regulatory obligations and employment law and to make mandatory disclosures to law enforcement); and
- Based on your consent (for example, to send you email communications, to conduct research about the impact of our programmes), which may subsequently be withdrawn at any time by editing your preferences or contacting us as specified in the How to Contact Us section of this Policy without affecting the lawfulness of processing based on consent before its withdrawal.
How Do We Protect Personal Data?
Personal data shall be subject to additional safeguards to ensure this data is processed securely. For example, we work hard to ensure data is protected when in transit and storage, that data is pseudonymised or anonymised wherever possible, and that access to this data will be strictly limited to a minimum number of individuals and subject to our Confidentiality Policy.
We will take all reasonable steps to ensure that your data is treated securely and in accordance with this Policy. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to any of our websites; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access. When possible, encryption is used, both in transit and storage. Access controls within the organisation limit who may access information.
Who Do We Share Personal Data With?
As necessary in connection with the above purposes, your personal data may be collected or processed using software provided by well-recognised third-party service providers (e.g. WordPress.org, Survey Monkey, MailChimp). We rigorously check these software providers before selecting them, reviewing their privacy and security policies. We may also be required to disclose or otherwise process your personal data in the context of any regulatory audit to which we may be subject from time to time. By submitting your personal data, you agree to this transfer, storage and processing.
Any other instances of sharing personal data outside The Reader will be identified at the point of data collection or (for previously collected data) prior to sharing and, where appropriate, consent will be obtained. Data may be shared for activities in connection with our mission including publicity, for research purposes or in order to link up individuals to new, existing or emerging Reader communities. Data Sharing Agreements will be put in place with all third parties prior to transfer of data, limiting usage of shared data to those purposes specified by The Reader, in line with our privacy statements and privacy protocols.
Some of these authorised third parties may be located outside the United Kingdom (“UK”) or European Economic Area (“EEA”). We take appropriate steps to ensure that recipients of personal data from us are bound to duties of confidentiality, where relevant or appropriate. Where this is not possible, we rely on the selection of trusted companies with privacy policies and auditable processes, and seek to ensure that there are adequate safeguards in place for protecting transferred data.
How Long Do We Keep Personal Data?
We ensure that personal data is retained only for as long as necessary in accordance with the above purposes and applicable laws. We may be required to retain your personal data for a number of years in order to satisfy legal or contractual obligations, or in order to establish, exercise or defend legal claims. When your personal data is no longer necessary for these purposes, the personal data will be securely deleted.
Emails and mailing lists
Emails received through the Get in Touch section of the website or email@example.com are reviewed by one staff member and sent onwards when necessary to other staff members. Similarly, emails sent to our other general addresses, for example firstname.lastname@example.org, are reviewed and passed on only when necessary. We use our best efforts to prevent disclosure of the names of senders to others outside of The Reader, i.e. third parties, without your permission, consistent with our legal obligations.
We use email service providers in the UK. Our current service provider is Microsoft.
We administer a mailing service (Mailchimp) for notifications by email based on interest in topics that you have explicitly indicated to us or that are relevant in relation to your role (e.g. e-newsletters). Outgoing messages are processed by our mail service and internet providers.
Information we receive by post to our general address is collected by one staff member, reviewed, and sent onwards when necessary to other staff members.
Telephone calls made to and from on our main landline number and subsequent extensions are processed by BT using a Mitel ISDN 30 service. As a result, traffic data for calls may be retained by BT in accordance with various laws and with the requirements of the services provided. Telephone calls and SMS (‘texts’) made to and from our business mobile phones are processed by EE. Traffic data for these calls and texts may be retained by EE in accordance with various laws and the requirements of the services provided. Additionally, traffic data held locally on business handsets (call logs, texts, etc.) may be retained by The Reader in accordance with business requirements, and subject to the conditions of the Data Usage and stored in accordance with Privacy policies may be found here for BT and here for EE.
Financial and Supporter Information
Online Ticket Purchases
We’ll also use anonymised information about your booking (date, number in party, children’s ages, postcode) to report on and understand the reach of the ticketed event.
We collect and process data provided by prospective and current donors. This data may include contact details, biographical information, financial information and donation history. We do not purchase or sell such data, so we only collect data given to us by the individuals themselves. This information may be processed through our CRM software or website which we control, but are ultimately hosted by our internet service provider.
We will ask donors wishing to make a donation under the Gift Aid scheme to complete an online or hardcopy Gift Aid declaration form. We are required to store an auditable record of those donors — full name, home address and details of the donation — in order to process the Gift Aid donation. To make a Gift Aid repayment claim, we are required to share that data with the UK Government — HMRC’s Gift Aid service, Charities Online. Please contact email@example.com for further information on making a Gift Aid donation.
The Reader magazine
We collect data about subscribers to The Reader magazine either at the point of purchase on our website, or via forms which we are sent to us by post. This will include a current address, to post the magazine to you, and an email address and/or telephone number, to allow us to address any queries around returned copies or cancelled subscriptions. This information will only be used to contact you about your subscription, and will be stored for a maximum of two years following the termination of your subscription. At the end of your subscription we’ll send you a letter notifying you that your subscription is coming to an end and giving you the opportunity to re-subscribe. Subscribers will also be given the option to sign up to general email communications from The Reader.
Occasionally we offer new and returning subscribers the opportunity to nominate a contact, friend or family member to receive a free taster copy of the magazine. Data received for nominees will include a name and address for postage; we’ll notify the nominated recipient and send on their taster copy within a month of receiving the nomination. This information will be stored on our databases for a maximum of two years following the delivery of the taster copy, unless within this time the recipient chooses to subscribe to the magazine themselves.
We also collect financial data to enable us to fulfil the contract with our subscribers. Subscriptions can be purchased either by Paypal, by cheque or Direct Debit. Records of these transactions are stored separately from the personal contact details we collect. Data relating to Direct Debit payments will be encrypted and shared electronically via Bacstel-IP with Bacs, who will notify the subscriber’s bank. Bacs will then notify us if there is an issue with the payment.
Subscribers can contact firstname.lastname@example.org to request amendment of any personal data that we hold in relation to their subscription.
Submissions of content for review by The Reader Magazine’s editorial team are only accepted by post; in order for the editors to provide a response, submissions must be accompanied by contact details including a name and address, and an email address if this method of communication is preferred. This information will only be used to contact you about your submission, and all data received will be passed directly to the editorial team to be stored for as long as is required to enable communication around the agreed use of the submission, if accepted, in a specific issue of the magazine. If your work is printed in the magazine, your address will be kept in order to post out complimentary copies of the specified issue to you.
Learning and Membership
Training with us
Some of our training courses and workshops involve a formal application process. We will use the data provided on training application forms to assess your suitability for training. If your application is successful, we’ll use your contact details to notify of you of your application outcome, to send pre-course information relating to the course, and (where applicable) to invite you to complete an initial volunteer survey and to assign you a Reader Number so you can sign up for The Reader’s Membership scheme which provides ongoing support to volunteers once they have completed initial training. Details of successful applicants are stored on our contacts and volunteer databases (Dynamics CRM) so that we can get in touch about information relevant to your role and region. This information forms part of your volunteer personal file and is retained until six years following the end of your time volunteering with us.
If your application is unsuccessful, we will use your contact details to notify you of the decision and to signpost you to other ways in which you can get involved with The Reader. A record of your application will be stored on our contacts and volunteer databases for six months, or for six years following the end of your time volunteering with us if you subsequently decide to take up another signposted role.
If shortlisted for a place on Read to Lead we will use the contact details you provide to request a reference from a referee. We would notify your referees of your name and identify your relationship to them but would not share your contact details with them. We will keep details of referees of successful applicants on the applicant’s volunteer record (retained for six years following the end of volunteering placement); unsuccessful applicants’ referees’ data will be deleted after six months.
If you are paying for a place on our training we will collect information about your preferred payment method; should you choose to be invoiced our Finance Team will use your contact details (or the details of your organisation) to send you an invoice.
Member Support Hub
Our Member Support Hub is hosted and administered by WordPress.org. When signing up to the Member Support Hub you will be invited to opt in to receive The Reader’s Membership e-newsletters which are administered by MailChimp. Subscribers can update their preferences or unsubscribe from these mail communications at any time.
You may re-request your Membership number or request a change of password to your website account by emailing email@example.com. These emails will be reviewed only by a limited number of staff who have access to this email account.
We design and administer our web services to limit the amount of data collected.
It is helpful to The Reader to know how our websites are used. This takes place in two ways, and each involves the use of analytics and data from user behaviour.
- We collect data on the usefulness of our sites’ content. This is to help us identify to ourselves and communicate to others, including our Board and our funders, how useful our website content is. This collection commonly comes in the form of identifying how many downloads there have been of a specific report or blog, or how many views of a video (and deciding what percentage of a video download qualifies as a ‘view’), and if available, the geographic distribution of the viewings.
- We collect data on how people use our sites. This is to help us design our work and our websites. This involves monitoring the journeys people take on our website – i.e. from where they enter, what areas and items they visit and download in the process of using the site, and from where they leave.
To undertake analysis of how our site is used, we use two processes.
- We administer our own website administration platform, using WordPress. WordPress will process some user activity, including IP address data and user-entered search queries. Our webserver also processes and logs HTTP requests, HTTP errors, PHP errors and TLS Handshakes (this list isn’t exhaustive).
We keep the aggregate and inferred data indefinitely, and use this aggregate data to report internally, to our Board, and to our funders. For instance, we will report to our Board that a website article was downloaded X number of times and reached people in Y countries.
Any personal data collected through purchases made on The Reader website will retained for two years and then deleted. When ordering you will be provided the opportunity to register an account and save delivery details for future purposes. Any inactive accounts will be automatically deleted after two years.
Third party cookies
We use social media and social networking services to advance our work. These applications require the use of third party service providers. Notably, we have a Facebook page, Twitter feed, Linkedin account, Instagram feed and a YouTube channel.
We use direct messaging over social media on occasion, when individuals and organisations contact us on Facebook by leaving messages in our Inbox or by sending us Direct Messages on Twitter. We do not export information about our followers from any social media platforms.
Volunteer, Applicant and Staff Information
As part of our recruitment process we receive application forms from applicants for staff roles, volunteer roles (including interns) and our talent bank. The completed application form contains personal data that we use to assess suitability for the position or role applied for. If successful, this information is retained on secure systems and for a period of six years after the end of the employment or volunteering. If not successful, all manual and electronic records relating to the application are deleted after a period of six months.
For applicants who enter our talent bank, we will ask you if you are happy for us to retain your details and to be contacted if a suitable position becomes available. We retain this information on secure systems and will contact you periodically to ask if you still wish be in our talent bank and for us to retain your details.
We keep all DBS application forms on secure systems and on completion of the DBS check we delete copies of all identity documents provided to support the application.
Monitoring, Evaluation and Research
We collect and process data for monitoring, evaluation and research purposes, for example when evaluating the reach of our programmes and their impact. This data may be provided to us by the individuals themselves or from third parties (e.g. member of staff in a care home). We only collect identifiable personal data when it is necessary to the evaluation (for example, when we need to compare individuals’ scores across their time volunteering or reading with us). In these circumstances, we would always pseudonymise your identity using a Reader Number.
Where research is conducted in collaboration with a third party research body we will ensure research ethics procedures are followed and all reasonable steps are taken to ensure specific informed consent is secured (where relevant) from all data subjects.
Some of our evaluation data is processed using Survey Monkey. We regularly download to our systems the data submitted online and erase it from Survey Monkey. We will keep your personal data for two years following the end of the financial year in which it was collected or for the retention period of your funded project, whichever is longer.
Reading Session Data
In some of our groups we use group members’ full names to record which sessions our members attend in order to analyse and understand attendance, recruitment and retention patterns. This information is stored on our CRM system and processed using Microsoft Excel; access is limited to relevant staff members only.
We are currently piloting an SMS text pilot for the submission of reading records. No personal data of group members is included in these records. Participating Reader Leaders will be asked to opt-in to take part, which is conducted through Open Market, and will be able to opt out at any time.
Your Data Subject Rights
You are entitled, in accordance with the General Data Protection Regulation (GDPR), to request access to, rectification of, or erasure of your personal data. You are also entitled to request restriction of or object to collection and/or processing of personal data, to request data portability and hold rights relating to automated decision making and profiling.
We will provide you with a response to your requests in accordance with UK data protection law. Requests can be submitted at any time by email to firstname.lastname@example.org, or by post to the physical address set out below. If our processing of your personal data is covered by EU law, you may also lodge a complaint with the corresponding data protection supervisory authority in your country of residence. You can find the relevant supervisory authority name and contact details here. In the UK the relevant supervisory authority is the UK Information Commissioner, more information is available here.
How to Contact Us
Please read the Policy carefully. To update your preferences, review or update your information, submit a request, raise any issues regarding the processing of your personal data or raise any questions, comments, or concerns about the Policy, you may contact us by writing to The Data Compliance Manager, The Mansion House, Calderstones Park, Liverpool L18 3JB, by phoning 0151 729 2200 or emailing email@example.com
Changes to the Policy
In the event that the Policy is changed at any time, the date and nature of the change will be clearly indicated in this document. In the event that the change has a material impact on the handling of your personal information, we will contact you to you to inform you of the changes and where appropriate seek your consent.