Groundswell collects and processes personal data relating to volunteers, including trustees. We use the information to:
- Run recruitment processes and make decisions about suitability to volunteer with us.
- Check you are legally entitled to volunteer in the UK.
- Maintain accurate and up-to-date personnel records and contact details (including details of who to contact in the event of an emergency).
- Administer expenses you incur whilst volunteering with us.
- Gather evidence in relation to and operating and keeping a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace.
- Obtain occupational health advice, to ensure that we comply with duties in relation to individuals with disabilities, meet our obligations under health
- and safety law, and ensure that employees are receiving the pay or other benefits to which they are entitled.
- Comply with health and safety obligations.
- Provide references on request for current or former volunteers.
Where is data stored?
Data will be stored in our Salesforce database and on other IT systems (including email). Some paper based records are also kept under lock & key.
What information does the organisation collect?
We collect a range of information about you when you apply to volunteer with us:
- your name, address and contact details, including email address and telephone number;
- details of your qualifications, skills, experience and employment history;
- whether or not you have a disability for which the organisation needs to make reasonable adjustments during the recruitment process;
- information about your entitlement to work in the UK
- date of birth and gender.
- Details of your bank account and national insurance number.
- Information about your marital status, next of kin, dependants and emergency contacts.
- Details of any disciplinary, capability or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence.
- Details of any safeguarding concerns or referrals made to the Disclosure and Barring Service (DBS).
- Assessments of your performance, including appraisals, performance reviews and ratings, training you have participated in, performance improvement plans and related correspondence.
- Supervision and other management notes in relation to the performance of your role.
We may also collect, store and use the following “special categories” of more sensitive personal information:
- Information about your criminal record.
- Details of periods of sickness absence taken by you, and the reasons for the leave.
- Details of attendance and sickness procedures in which you have been involved, including any stages of the process you have reached and correspondence.
- Information about medical or health conditions, including whether or not you have a disability for which the organisation needs to make reasonable adjustments.
Why does the organisation process personal data?
We process data on our volunteers in order to fulfil our contracts with the NHS to deliver the Homeless Health Peer Advocacy service. The contracts require us to provide and support a team of volunteers with experience of homelessness to deliver the service.
In the case of trustees, we have a legal obligation to process personal data in order to check suitability and eligibility to become a trustee.
Who has access to data?
Your information will be shared internally with relevant members of the team, e.g your line manager, other senior staff and the finance staff for processing expense payments.
We share your data with third parties who manage our databases and administrative systems and in order to obtain references from others about your suitability to volunteer and obtain necessary criminal records checks from the Disclosure and Barring Service.
Keeping your information secure
All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. With the exception of our occupational health provider (who uses your data for the purposes of advising you directly and safeguarding your wellbeing) we do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
Sharing outside of the EEA
Subject to the exceptions below your data will not be processed outside of the European Economic Area (EEA).
We may from time to time use an online survey tool based in the United States and as such data contained in surveys will be transferred outside of the EEA. In this situation data is transferred outside of the EEA on the basis that the survey tool provider has signed up to the EU-US Privacy Shield Framework. More information about the Privacy Shield Framework can be found here: https://www.privacyshield.gov/welcome
For how long does the organisation keep data?
6 years after end of volunteering
What are your rights?
As a data subject, you have a number of rights which are outlined below.
- Right of access – Individuals can request to access and obtain a copy of all data we hold on them. This request is commonly referred to as a subject access request.
- Right to rectification – Individuals can require us to change incorrect or incomplete data.
- Right to erasure – Individuals can require us to delete all their data under certain conditions.
- Right to object – In certain circumstances, individuals can object to us processing their data.
- Right to restrict processing – Individuals have the right to restrict the processing of their personal data where they have a particular reason. In most cases we would need to have the restriction in place for a certain period of time not indefinitely.
- Right to portability – This gives individuals the right to receive personal data they have provided to us. They can also request that we give it directly to another controller.
If you would like to exercise any of these rights, please contact Groundswell’s Data Protection Lead on the details at the beginning of the General Privacy Notice. You can make any request in any form you choose – writing, email, phone, face to face or through a third party such as a solicitor.
If you believe that the organisation has not complied with your data protection rights, you can complain to the Information Commissioner’s Office (ICO). The details are in the General Privacy Notice.