This is the Privacy Notice for Kangaroos Mid Sussex.
The purpose of this notice is to inform you about how and why your personal data is used so that we at Kangaroos Mid Sussex, are as transparent as we possibly can, and to ensure that you are aware of your rights under UK data protection legislation.
Kangaroos Mid Sussex is a company registered with Companies House under registration 8273898 and with the Register of Charities under number 1150202. Our postal address is Unit 7 and 8, More House Farm Business Centre, Ditchling Road, Wivelsfield, Haywards Heath, England, RH17 7RE. You can contact us at firstname.lastname@example.org or on 01444 459108.
The purpose for processing your data and our basis for doing so.
We process personal data so we can provide our support services to children, young people and adults with learning disabilities. This includes a wide range of after school, weekend and school holiday clubs and activities.
When we process your personal data, we must establish our legal basis for doing so and that legal basis can be different depending on circumstances in which we process it. You will see references to the basis of processing e.g.,"(Article. 6.1.f)" and this is a reference to the article of the UK General Data Protection Regulation under which we undertake the processing in question.
We process data from a variety of people and organisations (data subjects) and this privacy notice is intended to provide information about that broad data processing activity.
Members / parents and guardians
When we engage in membership enrolment, we will hold the following identity and contact information:
Contact telephone number(s)
Date of birth
Primary contact / parent / guardian and secondary contact - Name & Contact Details
We will also process information relating to the identity and contact details of schoolteachers and social workers where relevant as well as general practitioner and other relevant healthcare practitioners. We will record details relating to finances and
benefits as well as contextual family and other background information to allow us to provide the best care possible. We process financial information for membership payments.
The legal basis for processing this membership information is Article 6.1.f UK GDPR, being in our legitimate interest to do so, where our interest does not outweigh those of the member, potential member or parent / guardian.
In addition to the above, we also process what is known a ‘special category’ data and this relates to health, religion and ethnicity. We process health information as we have a legitimate interest ensure the support and activities, we provide are suitable for the member and their specific condition. We have an obligation to process data relating to ethnicity and religious beliefs for the purpose of reporting to West Sussex County Council for funding criteria. Our legal basis for this is Article 6.1.c – We have a legal obligation. All processing of special category personal data is allowed by Article 9.2.d of the UK GDPR as our legitimate activities.
To undertake certain activities with our members, we will ask permission of the parent or guardian. This may be for undertaking travel by train or motor vehicle, to have photographs taken of the member or to have a face painting. The legal basis for this is Article 6.1.a – consent of the data subject. Where we use consent as a basis of processing, it can be withdrawn at any time by contacting us. Please bear in mind that consent cannot be retrospectively withdrawn.
All data we process is provided by members directly.
Supporters / Donors
For those individuals and organisations that support and donate to Kangaroos Mid Sussex, we process the following types of personal data:
Gift Aid declaration details
We obtain personal data from supporters and donors either directly or through third party donation platforms.
We will also use your contact data to send occasional updates via email to member’s parents / guardians and anyone else who has consented to receive these. If you are an existing member, we are permitted to send you email marketing as we have already collected your data during our engagement. You can withdraw your consent at any time by using the ‘unsubscribe’ function on the email. If you are a corporate supporter or donor, we will send you email updates and information promoting the charity as a legitimate interest activity. You can unsubscribe from this at any time by using the link on each email we send.
If consent is withdrawn or you object to our marketing, we will retain the minimum amount of your data on our marketing database to ensure your email is suppressed from our marketing activity. Our legal basis for this is Article 6.1.c – we have a legal obligation not to continue to send you direct electronic marketing without a lawful basis.
Recipients of your data
As a general principle, we will not transfer your personal data to other recipients without your permission. There are some exceptions to this:
It is possible that we might be obliged to disclose personal information in response to a court order or other lawful obligation. Our lawful basis for this is Article 6.1.c legal obligation.
Her Majesty’s Revenue and Customs will also receive some of your personal data. The lawful basis for sharing this is Article 6.1.c – legal obligation.
We share aggregated and anonymised personal data with public authorities when required for purposes of reporting for grant funding. The lawful basis for sharing this is Article 6.1.f – it is in our legitimate interest to obtain grant funding.
We share aggregated and anonymised personal data with other potential or actual donors. The lawful basis for sharing this is Article 6.1.f – it is in our legitimate interest to obtain funding through donations.
We share limited personal data in case studies to public authorities or donors with the subject’s consent. This lawful basis is Article 6.1.a – Consent. You can withdraw consent for this processing at any time by contacting us. But it cannot be applied retrospectively.
Data processed by third parties on our behalf
We use the services of other organisations in the processing of your data. We use cloud-based accounting platforms, email and document storage, video conference platforms, marketing platform, customer relationship management platform, booking and scheduling platform, card payment provider, and charitable giving platforms. Our website also processes limited personal data such as IP address and contract details through our contact form. Our web host service processes this information for us.
Those organisations that process personal data on our behalf are subject to a data processing contract as required by Article 28 of the UK GDPR. This ensures that your data is handled in accordance with the UK GDPR.
Transferring your data outside of the UK
We do transfer data outside of the UK as some of our cloud platforms are located overseas. If your data is sent out of the UK, we ensure that there are approved mechanisms to do so, such as adequacy decisions under Article 45 UK GDPR, standard contractual clauses under Article 46.2 UK GDPR or in exceptional circumstances, allowable derogations under Article 49 UK GDPR. Currently, Kangaroos Mid Sussex transfers personal data to the EEA and the USA.
We will retain your data only for the time we require it for the purposes stated and / or where we have a legal obligation or other legitimate purpose.
Our criteria to determine the retention of personal data is contained within the Management Framework for Retention and Transfer Charity Records and Archives June 2019.
The UK GDPR requires us to implement technical and organisational measures to protect your data. We have developed policies and procedures to ensure we treat personal data lawfully and keep it secure. We train our staff on the requirements of the legislation and the need for data protection. Our IT systems have protection installed and our online platforms are accessed through user authentication, and we have access controls in place. We use Transport Layer Security (TLS, also known as SSL) to encrypt any data you supply to us through our website.
The UK GDPR provides you with several rights in relation to the data of yours we process. The rights relevant to our activities are:
You have the right to get access to and copies of your personal data.
You can in certain circumstances, restrict our processing of your data and request
us to erase it (although we may have to retain some for legal reasons).
You can ask us to rectify any inaccurate information we may be holding.
If you want to exercise any of these rights, contact us on the above email address.
You also have the right to lodge a complaint about our processing with a supervisory authority — the UK's Information Commissioner's Office.
Information Commissioner's Office Wycliffe House
Cheshire SK9 5AF
Telephone: 0303 123 1113