Privacy Statement

Image

At The 999 Club we are committed to making sure that your personal information is protected and never misused.  

When we talk about 'personal information' here, what we mean is any data which could directly or indirectly be used to identify you - for example your name, email, your computer's IP address or information we hold to help support those that use our services such as date of birth or career history. 

Our privacy policy explains what information we collect, why we collect it, how we use it, and explains the control you have over your personal information and the procedures we have in place to protect it. It applies to personal information we collect through our services and marketing communications including our website, email, SMS, in person, post and by telephone.   

We take responsibility for the personal information we collect about you, and we aim to be transparent about how we handle it, and give you control over it.  

If you have any questions, comments or concerns about any part of this policy or how The 999 Club handles your information please contact office@999club.org or phone 0208 694 5797 

You can also write to us at

The 999 Club
21 Deptford Broadway
London SE8 4PA

Privacy Policy

  1. The 999 Club’s commitment to your privacy and data protection

The 999 Club needs to keep certain information on its employees, volunteers, donors, suppliers and service users to carry out its day to day operations, to meet its objectives and to comply with legal obligations.

The organisation is committed to ensuring any personal data will be dealt with in line with the General Data Protection Regulation (GDPR).

The aim of this policy is to ensure that everyone handling personal data is fully aware of the requirements and acts in accordance with data protection procedures. This document also highlights key data protection procedures within the organisation.

 

  1. Our Promise
  • We will only ask for or collect the personal information that we need to run and improve our services and to talk to you about our work - such as volunteering, fundraising, donating and campaigning.
  • We give you control over the personal information we hold about you to make sure it is accurate.
  • We make sure your personal information is always secure and protected.
  • We are fair and transparent about how we use the personal information we hold.
  • We only ever use your personal information for the purpose that you trusted us to use it for.
  • We will never sell your personal information and only share it as outlined in our privacy policy, or when you ask us to.
  • We respect your choices and will tell you if there are important changes that affect your personal information or how we use it.
  • We take responsibility for the personal information that we hold about you.
  1. Responsibility

The Board of Trustees delegates responsibility for personal data to the Data Protection Lead who is the CEO. They are responsible for:

  • understanding and communicating obligations
  • identifying potential problem areas or risks
  • producing clear and effective procedures
  • notifying and annually renewing notification to the Information Commissioner, plus notifying of any relevant interim changes

All staff and volunteers who process personal information must ensure they not only understand but also act in line with this policy and the data protection principles.

Breach of this policy will result in disciplinary action.

 

  1. What personal information do we collect?

If you support The 999 Club (for example if you volunteer, fundraise, donate or campaign for us) we collect and use personal information such as an individuals name, postal address, email address and phone numbers. We will also hold details of any donations or transactional services you may make with us, together with your marketing communications preferences. We will hold a record of our communications with you and any communications with us.

If you have kindly added Gift Aid to a donation we must record the fact that you are a UK taxpayer. HMRC requires that we maintain a record of that Gift Aid for seven years after your last donation to us.

As a volunteer we ask for your personal contact information, and we may ask for some (optional) information which we use to provide some equality and diversity information to make sure our Equality and Diversity Policy is working.

CCTV 

If you visit one of our Gateway Centre, your visit may be recorded on CCTV. The 999 Club maintains CCTV in our premises for the safety and security of our staff, members, and volunteers who work there, and to support any investigation to criminal activity that may take place in or around our premises. Images are kept for a maximum of 30 days. We prominently display signs in any areas where CCTV is in operation.

  1. How do we use personal information?

Providing 999 Club Services

If you access our services we will collect personal information about you. We use this to assess eligibility to services, and to make sure we support you in the best way possible. If you are accessing The 999 Club service user we will collect some information like contact details and whether you have any special health conditions we need to be aware of. We also collect some information like gender, or what languages you speak, for inclusion purposes. We will always offer you the option to say that you “prefer not to say”. We also collect some information (such as criminal convictions) to keep everyone safe. With your explicit consent (recorded on our electronic database) we will share this information with local services who can also help you. We will only ever share information without consent if it is to protect the safety and well-being of someone we believe is at risk of harm, for legitimate police requests to support a serious criminal investigation, or if we are directed to share information by a court order.

Fundraising and marketing  

We use a range of fundraising and marketing activities as many charities do, to raise income and promote our aims and goals. At The 999 Club we use a variety of marketing activities and channels like events, campaigns and appeals (in print and digital) to generate income, and encourage people to volunteer.

Volunteer management  

The 999 Club would not be able to do its work without the help of our amazing and dedicated volunteers who support our services all year round, helping us to raise funds through community and challenge events.  It is of great importance that if you volunteer for us that you are safe and have the best possible time while doing so. To do this we use your information to match you to the correct volunteering opportunities and to keep you updated through newsletters or dedicated emails (with your consent), to give appropriate training, and help you to deliver and promote the work of the 999 Club.

Staff and recruitment administration  

We process the personal information of our employees for recruitment, staff administration, salary, pensions, health and safety, and performance management.

The 999 Club needs a lawful reason to collect and use personal information. The law names six legitimate ways that we can process personal data. Of those six, we consider that five of them can be applied to The 999 Club’ operations:

  • Information is processed on the basis of someone’s consent
  • Information is processed on the basis of a contractual relationship
  • Information is processed for a legal obligation   
  • There may be occasions where information is processed to protect the vital interest  of an individual
  • Information is processed on the basis of the legitimate interests of The 999 Club

Consent

As a supporter of The 999 Club we will always ask for explicit consent to send mailing, marketing and fundraising emails, and text messages. We will also ask if you want to be contacted by phone.

You can withdraw consent at any time.  Simply email office@999club.org or call 020 8694 5797, or use our website to contact us.

If you volunteer with the 999 Club we will always ask for permission to process personal information.

Contractual relationship

If you are accessing 999 Club services, you are deciding to accept help and advice from us. This can be considered the basis of a contractual relationship, which means we provide you with a service in return for abiding by the ‘Service Users Agreement’. We can only provide you with the most appropriate services if you choose to share some of your personal information (such as your name). We will use the information to support your journey out of homelessness. We will not share this information without your explicit consent unless it is to protect the safety and well-being of someone we believe to be at risk of harm, or through a legitimate police request or directed through a court order.

Legal obligation

If you become a service user or volunteer, the 999 Club has a legal obligation to process health and safety information, which may include personal information in relation to incidents on The 999 Club’ premises.

If you have kindly added Gift Aid to a donation we must also process some minimal information for HMRC and hold this for seven years.

Vital interests

If you are a member, The 999 Club will sometimes share personal information, without your explicit consent, to partner organisations (including the police and local authorities) if we believe that there is a real and significant risk of harm to you or another person - however this is uncommon.

 

Legitimate interests

The law allows The 999 Club to legally collect and use (process) personal information if it is necessary for a legitimate business interest of the organisation. However it must be used in a fair and balanced way that does not impact on your rights. This includes using direct marketing for charitable purposes if there is a wider benefit to society. For the 999 Club this means that we can lawfully write to you to encourage your support of our work.

The 999 Club processes personal information for this purpose and under this lawful basis, there may be times where the quality of the evidence of consent may not be as robust as in recent years. On the recommendation of the Information Commissioners Office the 999 Club has, carried out a 2 mailouts to gain consent from its existing mailing list to gain consent prior to GDPR.

You have the right to object to our lawful processing of your information. To let us know that you do not want to receive any more direct marketing simply email office@999club.org or call  020 8694 5797, or use our website to contact us.

As a 999 Club service user we also consider that we have a genuine and legitimate interest in processing the information we have about you to support and help your journey out of homelessness. We have other legitimate interests holding and form processing. They are governance, publicity and income generation, operational management, financial management and control and for administrative purposes. There is more information about this below:

Governance:  

  • To help deliver our charitable aims (set out in our objectives)
  • To report criminal acts and comply with law enforcement agencies
  • Internal and external audit for financial or regulatory compliance purposes

 

Publicity and income generation:  

  • Direct marketing including campaigns, generating income or charitable fundraising other forms of marketing, publicity or advertisement
  • Exercising the right to freedom of expression or information, including in the media
  • Analysis, targeting and segmentation to develop corporate strategy and improve communication efficiency
  • Processing for research purposes

Operational management  

  • Employee and volunteer recording and monitoring for recruitment, safety, performance management or workforce planning purposes
  • Providing and administrating of staff benefits such as pensions
  • Physical security, IT and network security
  • Maintaining of 'do not contact' lists (suppression files)
  • Processing for historical, or statistical purposes

Financial management and control  

  • Processing financial transactions and maintaining financial controls
  • Preventing fraud, misuse of services or money laundering
  • Enforcing legal claims

Purely administrative purposes  

  • Responding to any solicited enquiry from any of our stakeholders
  • Delivering requested information materials
  • Communications to service users for appointments, activities, and health related appointments where appropriate in our Gateway centre
  • Administering of Gift Aid
  • ‘Thank you’ communications and receipts

When we use your information we will always consider if it is fair and balanced to do so and if it is within a supporter's reasonable expectations. We will balance your rights and our legitimate interests to make sure that we use your personal information in ways which are not unfair or unduly intrusive.

We collect personal information that you share with us when you contact or interact with us through our website, email, phone, face-to-face, post and through our online and offline forms. You can decide not to provide certain information, or ask that any information that you have previously shared is removed - but only under certain circumstances. For example HMRC requires us to keep Gift Aid information for seven years. If this request is made, please be aware that you might not be able to take full advantage of our services or support our work to end homelessness.

For example, you might provide information to us, when contacting our advice team, making a donation, registering for an event, completing a survey, competition or questionnaire or updating your communication preferences. Through these interactions your name, address, email address, and contact number and payment information could be collected.

Employment and recruitment personal data  

As someone who applies to work for us, your interview information is kept for two years if you are successful and join us as a member of staff. For unsuccessful candidates, we keep your information for only six months after the recruitment campaign closes.

 

Supporter personal data  

As a supporter, when you use our website, or get in touch with us directly to fundraising team,  we collect information about you. This helps us understand not only your interests, but also how you may want to support and hear from us. Collecting information about those who support us helps to deliver our service and make sure that we continue to raise funds to support people who experience homelessness.

Research  

If you take part in the research we carry out, we will always explain the purpose of the research and ask your consent to use your information. You can withdraw from a research project at any time.

 

Member personal data  

As a service user, we will collect information about you that allows us to tailor our services to support your journey out of homelessness in the best way possible. We will only share your personal information with your explicit consent except for three possible circumstances: If we believe that a person is a serious risk of significant harm, and sharing information may help to protect the person at risk; through legitimate police requests to support a serious criminal investigation; or if we are directed through a court order.

The 999 Club never sells or exchanges our supporter information with other organisations.

 

Member information  

Under all data protection law in the UK and EU, certain categories of personal data are classed as ‘special category’ or ‘sensitive’. As a 999 Club service user we do ask you to provide us with some special category information to help us understand your needs and support the research we do (anonymised). Special category information includes your ethnicity, sexuality, any expressed religious beliefs, health data, self-disclosed criminal convictions. As a service user if you don’t want to share these details with us that is perfectly OK, but we may not be able to offer the full range of services available through our Gateway Centre.

 

Job applicant information  

If you apply for a job with us, and share sensitive information as part of the application process, the information will be stored in a personnel record, if you are successful, or for six months after the closure of the recruitment campaign if your application has been unsuccessful.

 

Supporter information  

As a supporter it is less likely that we may process sensitive information - but we might if you are participating in an event or working as a volunteer we need to make sure we provide appropriate facilities to support specific health issues.

Credit or debit card information  

As a supporter, if you use a credit or debit card to make a donation to us, your card details are processed through our payment-processing partners – Go Cardless and Stripe as part of the payment process.  We also accept payments through Just Giving, Local Giving, Benevity and the Charities Aid Foundation (CAF).

 

  1. Where does the information we hold come from?

Most of the information we hold is given to us directly by you during your interaction with our website, our services, or supporter activities such as fundraising. We may also receive your information when you donate to us through third party services like Go Cardless, Stripe, Just Giving, Local Giving, Benevity, the Charities Aid Foundation (CAF), and Payroll Giving Agencies.

We only keep your information for as long as we need to, to be able to use it for the reasons given in this privacy policy.

In general terms we remove identifiable personal information from our records five years after the date of your last interaction with us. In most cases this represents five years after the last financial transaction. There are two exceptions to this:

  1. Where someone has kindly left the 999 Club a gift in their Will. In these cases we will maintain our records of that pledge to carry out legacy administration and communicate effectively with the families of people leaving us a legacy.
  2. Where someone has kindly added Gift Aid to a donation to us, we are required by HMRC to retain those details for seven years after the last donation. If you request that we will delete your details, we must retain a minimum level of information to support this legal requirement from HMRC.

As one of our service users, we will keep your personal information for up to four years after you last engaged with us, except where you used a service that received external funding, as we are legally required to keep that information for longer. On request, we will delete information except if we have a legal or contractual basis to retain minimal information for example, if you had a reportable accident in our Gateway Centre, we would be legally required to retain Health and Safety records for three years.

For volunteers we keep information for four years after your last interaction with us.

If you apply to work for us, your interview information is kept for two years if successful and join us as a member of staff. For unsuccessful candidates, we keep your information for only six months after the recruitment process ends.

If you take part in research carried out by the 999 Club, we will always explain the purpose of the research and ask for consent to use your information. You may withdraw from a research project at any time. Research will be anonymised and only held for as long as the research is relevant to our work.

How can you change the way that we contact you about our services and work?

We will only send digital marketing communications when you have told us that you are happy for us to.

As a supporter you can change the way that we contact you in the following ways;

Opt-in/start contacting me:

If you hadn’t previously asked us to send you marketing communications, you can ask us to start contacting you (sometimes called an "opt-in") Simply email office@999club.org or call  020 8694 5797, or use our website to contact us

Changing communication preferences:

If you have previously said that you would like us to contact you ("opted-in") but you want to change or update that, simply email office@999club.org or call  020 8694 5797, or use our website to contact us.

Opt-out/stop contacting me:

If you want to stop receiving communications from us (sometimes called "opting out"), you can by calling our supporter services team on 08000 38 48 38 or simply email office@999club.org or call  020 8694 5797, or use our website to contact us.

  1. What personal information do we share with third parties?

 

Supporter information  

The 999 Club doesn’t share, sell or exchange your information with other organisations to be used for their own marketing communications.

Service User information  

We respect that as a service user you may be required to share information with us that is often sensitive (special category data). Where we need to share this information with external agencies to help increase or progress the support available to you, we will only do this with your explicit and informed consent. The only exception to this is where we believe that someone is at risk of real and significant harm, and the sharing of appropriate information with relevant authorities will safeguard and protect them.

When completing training which is supported by an external accreditation agency we will share your details with the training provider.

Volunteer information  

We only share volunteer information in very limited circumstances; for example where there is a serious safeguarding issue relating to you as a volunteer - we have a duty to refer it to the Disclosure and Barring Service.

 

  1. How do we protect your personal information ?

We are committed to protecting your personal information. We use appropriate technical and organisational measures to protect personal information and privacy, and we review them regularly. We protect your information using a combination of physical and IT security controls, including access controls that restrict and manage the way that information and data is processed, managed and handled.

Sensitive personal information will be stored using additional security measures and will only be shared over email in exceptional circumstances. All personnel are trained in this policy and how to properly store personal information.

Our procedures mean that we may sometimes ask for proof of identity before we share your personal information with supporters or service users - for example when we contact you we will want to check that we are speaking to the owner of that personal information.

In the unlikely event of a security breach which compromises our protection of personal information, and we need to let you know about it, we will do so. We will report breaches to the ICO within 72 hours of becoming aware of the breach. If the breach is sufficiently serious to warrant notification to the public, the charity will do so without undue delay.

 

  1. Data Protection Rights  

Where The 999 Club is using your information with consent you can withdraw that consent at any time. You also have the right to ask the 999 Club to stop using your information for direct marketing purposes. Simply email office@999club.org or call 020 8694 5797, or use our website to contact us.

Your rights are clearly laid out in data protection law, see below for more detail on your rights with regard to how the 999 Club uses data.

 

The Right to be Informed  

You have the right to be told how your personal information will be used. This Privacy Policy document is intended to be a clear and transparent description of how your information may be used.

 

The Right of Access  

You can write to us asking for what information we hold about you and can request a copy of that information. Any person wishing to exercise any of the above rights should apply in writing to the office@999club.org

We may make a charge of £10 on each occasion access is requested.

The following information will be required before access is granted:

  • Full name and contact details of the person making the request
  • their relationship with the organisation

We may also require proof of identity before access is granted.

Queries about handling personal information will be dealt with swiftly and politely.

We will aim to comply with requests for access to personal information as soon as possible, but will ensure it is provided within a month of receiving the written request and relevant fee. Information will be presented in clear and plain language, in an intelligible and accessible form.

 

The Right of Erasure (also known as the right to be forgotten)

You have the right to request that your information be deleted from our systems and databases but only in certain circumstances e.g. HMRC requires that we keep Gift Aid information for seven years.

If you have been kind enough to support us and have added Gift Aid to a donation in the past, The 999 Club has a legal duty to retain minimal information for HMRC for seven years after your last donation.

In many cases we would recommend that we suppress rather than delete your information completely, otherwise you may be contacted in error if your details are then given to us from a third party lead generation company.

As a service user you can request that your information is deleted. Each request is reviewed and where there is no legal requirement to retain information (for example health and safety, or safeguarding duty) we will remove your information. We will also ask any organisation that we have shared your information with to also delete it.

 

The Right of Rectification  

You have the right to ask that we correct and update factually inaccurate information that we may hold about you.

 

The Right to Restrict Processing  

You have the right to request that we restrict the processing of your personal data in certain circumstances:

  • When you are contesting the accuracy of the data we hold, and we are verifying the accuracy of that data.
  • When you have objected to having your information processed under the lawful basis of legitimate interest, and we are considering whether our organisation’s legitimate grounds override yours.
  • When the processing is unlawful and you oppose erasure and request restriction instead.
  • Where we no longer need the information, but you have requested your data from us to establish, exercise or defend a legal claim.

 

The Right to Object  

You have the absolute right to stop the processing of your personal information for direct marketing purposes, even in circumstances where we may be processing your information under the legitimate interest lawful basis.

 

10. Marketing and Communication Preferences

 

Cookies
We use cookies to:
(i) Estimate our visitor size and patterns;
(ii) Understand visitor preferences to update and improve our website.

 

11. What to do if you are unhappy about how the 999 Club manages your information.

In the first instance, please talk to us directly so we can help resolve any problems or queries. Call us on 020 8694 5797 or email office@999club.org

You can also register with the:

  • Fundraising Preference Service(FPS). This service is run by the Fundraising Regulator and allows you to stop email, telephone, addressed post, and/or text messages from a selected charity. Use the link above, or you can call them on 0300 303 3517. Once you have made a request through the FPS, we will ensure that your new preferences take effect within 28 days.
  • You also have the right to contact the Information Commissioners Office (ICO) if you have any concerns about how your information has been handled. You can use the link above or call them on 0303 123 1113.

12. Retention schedule

Type of Information: Supporter Personal Information
Retention Period:

  • Information connected to donations will be retained until ten full financial years have elapsed since a donors’ last gift OR two full financial years have elapsed from our notification of their death. Thereafter all data relating to the data subject will be deleted as part of an annual data hygiene programme.
  • Supporter data held in microsites, such as Mailchimp, will be retained until one full financial year has elapsed since a donors’ last gift.
    Exceptions: The name and address of people who ask not to be mailed will be kept for as long as necessary to ensure that they are not mailed again.
    The records of Donors who have expressed an interest in leaving a gift in their Will will be retained until they expressly state that they will not be leaving such a gift or until four full financial years have elapsed from our notification of their death. This will enable us to identify the correlation between expressions of interest and subsequent actions.
    Information required for the purpose of legacy administration will be retained until two full financial years have elapsed since the full Legacy gift has been received.

Data Owner (title or title equivalent): Head of Fundraising

Type of Information: Grants Casework and Beneficiary
Retention Period: Information connected to beneficiaries will be retained for a maximum of seven years after the end of service delivery relationship plus the current financial years.
Data Owner (title or title equivalent): Head of Fundraising

Type of Information: Financial Information – including: records of banking transactions, tax records, audits.
Retention Period: Retention period ranges from between six years to ten years from the end of the Financial Year in which the transaction was made, in line with regulations.
Data Owner (title or title equivalent):Office Manager

Type of Information: Gift Aid records
Retention Period: Retention of record for six years
Data Owner (title or title equivalent): Head of Fundraising

Type of Information: Details of Injuries or Accident Reports/Records
Retention Period: Six years from time of accident occurring.
Data Owner (title or title equivalent):Office Manager

Type of Information: Recruitment Information for Unsuccessful Applicants: Job Application Forms, CV’s and other details including interview notes
Retention Period:Seven months after unsuccessful applicant notified of outcome
Data Owner (title or title equivalent):Office Manager

Personnel and employment records:

Type of Information: Job description and terms & conditions; Appraisal records, objectives, performance reviews or targets agreed; Development/training needs and records of completed activities.
Retention Period: Six years after employment has ceased
Data Owner (title or title equivalent):Office Manager

Type of Information: Pay, payroll and benefits information (HMRC requirements)
Retention Period:Seven years after employee has left employment
Data Owner (title or title equivalent):Office Manager

Type of Information: Wages, salary, expenses and overtime
Retention Period: Seven years
Data Owner (title or title equivalent):Office Manager

Type of Information: Redundancy details
Retention Period:Six years after employment has ceased
Data Owner (title or title equivalent):Office Manager

Type of Information: Records of pension contributions deducted
Retention Period: Seven years after employee has left employment
Data Owner (title or title equivalent):Office Manager

Type of Information: Statutory Maternity pay records, calculations or certificates
Retention Period: Three years after the end of the tax year to which maternity period ends
Data Owner (title or title equivalent):Office Manager

Type of Information: Statutory sick pay records, calculations, certificates and self-certification
Retention Period: Three years after the end of each tax year
Data Owner (title or title equivalent):Office Manager

Type of Information: Case studies (stories of beneficiaries) that are not in the public domain
Retention Period: Three years after the end of each tax year
Data Owner (title or title equivalent):Head of Fundraising

Type of Information: Insurance policies, claims and correspondence
Retention Period: Three years after lapse or after settlement
Data Owner (title or title equivalent):Office Manager

Type of Information: Employers Liability insurance certificate
Retention Period: 40 years
Data Owner (title or title equivalent):Office Manager

Type of Information: Accident Reports and Correspondence
Retention Period: Three years after settlement
Data Owner (title or title equivalent):Office Manager

Type of Information: Trustee minutes, minutes of general meetings and other resolutions
Retention Period: Minimum 10 years from the date of the meeting or from the date of passing a resolution
Data Owner (title or title equivalent):Company secretary

Type of Information: Annual accounts and annual review
Retention Period: Permanently
Data Owner (title or title equivalent):Office Manager

Type of Information: Contracts with customers and suppliers
Retention Period: 6 years after expiry of termination of the contract
Data Owner (title or title equivalent):Office Manager

Type of Information: Health and safety records
Retention Period: Three years for general records (and permanently for records relating to hazardous materials)
Data Owner (title or title equivalent):Office Manager

Type of Information:Property deeds
Retention Period: Permanent
Data Owner (title or title equivalent):Company secretary

Type of Information:Leases
Retention Period: 12 years after the lease and liabilities under the lease have been terminated
Data Owner (title or title equivalent):Company secretary