Volunteer privacy policy

 

  1. What is the purpose of this document?

    British Heart Foundation is committed to protecting the privacy and security of your personal information.

    This privacy policy ('Privacy Policy') describes how we collect and use personal information about you during and after your volunteering relationship with us, in accordance with the General Data Protection Regulation (2016/679) (GDPR), the UK Data Protection Act 2018 and other applicable UK and EU laws that regulate the collection, processing and privacy of your personal information (together, 'Data Protection Law'). This Privacy Policy applies to all prospective, current and former volunteers.

    For the purposes of Data Protection Law, British Heart Foundation acts as a "data controller" of the personal information we hold about you. This means that we are responsible for deciding how we hold and use personal information about you. We are required under Data Protection Law to notify you of the information contained in this Privacy Policy.

    It is important that you read this Privacy Policy, together with any other privacy policy or notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.

  2. Data protection principles

    We will comply with Data Protection Law. This says that the personal information we hold about you must be:

    • 2.1.Used lawfully, fairly and in a transparent way.
    • 2.2.Collected for specified, explicit and legitimate purposes and not processed in a manner that is incompatible with those purposes.
    • 2.3.Adequate, relevant and limited to the purposes we have told you about.
    • 2.4.Accurate and kept up-to-date.
    • 2.5.Kept in a form that permits identification of the “data subject” (you) only for as long as necessary for the purposes we have told you about.
    • 2.6.Processed in a manner that ensures appropriate security of the personal information.
  3. The type of information we hold about you

    Personal information (which may also be called personal data), means any information about an individual from which that individual can be identified, whether directly or indirectly. It does not include data where personally identifying elements have been removed (anonymous data). We will collect, store, and use the following categories of personal information about you:


    Category

    Data collected

    What we use it for

    Shared with third parties

    All volunteers

    Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses

    To contact the volunteer

     

    All volunteers

    Recruitment information (references and other information collected as part of the application process)

    Making a decision about your recruitment as a volunteer.

     

    All volunteers

    Information about any criminal convictions and offences as part of the recruitment process (collected on application form)

    Making a decision about your recruitment as a volunteer for the role you have applied for.

     

    All volunteers

    Mailing preferences:

     

     

    Name

    Email address

    Mobile number

    To send e-newsletter and marketing communications where consent has been obtained for such activity.

    Mailchimp

    Name

    Postal address

    Telephone

    To send marketing communications where consent has been obtained for such activity.

    Mailing houses

     

    All volunteers

    Date of birth

    To ask for consent if the volunteer is under 18 (in circumstances where we are able to accept applications from under 18s).

     

    Trustees

    Name, title, address, telephone number, personal email address, date of birth

    Registers of Directors and Members

    To contact the trustee in relation to their role at the BHF

    Companies House Charity Commission

    All volunteers

    Emergency contact information.

    To contact someone in case of emergency

     

    All volunteers

    Performance information

    To provide a reference if requested.

    If requested

    All volunteers

    Information about your race or ethnicity, religious beliefs, and sexual orientation collected anonymously and as an optional question only

    To monitor our diversity and inclusion processes and to identify trends

     

    All volunteers

    Information about your health, including any medical condition

    To comply with our health & safety obligations and enable any reasonable adjustments to be made

     

     

  4. How is your personal information collected?

    We collect personal information about volunteers through the application and recruitment process, directly from candidates. We may sometimes collect additional information from third parties, including former employers.

    We may collect additional personal information (including from our CCTV and access control systems) in the course of volunteering activities throughout the period of you volunteering for us.

    Please ensure that any personal information you supply to us which relates to third party individuals is provided to us with their knowledge of our proposed use of their personal information.

  5. The lawful grounds on which we use information about you

    We will only use your personal information when the law allows us to. We process your personal information for the above purposes relying on one or more of the following lawful grounds:

    • 5.1.Where we need to perform the contract we have entered into with you, or in order to take any pre-contract steps at your request and/or to perform our contractual obligations to you;
    • 5.2.Where it is necessary for us to comply with a legal obligation;
    • 5.3.Where you have freely provided your specific, informed and unambiguous consent for particular purposes;
    • 5.4.Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. In broad terms our legitimate interest is fulfilling the charitable purpose of British Heart Foundation, which involves sending direct marketing to our supporters, contacting our volunteers to plan and administrate activities, taking steps to ensure and monitor compliance with our legal obligations and internal standards and procedures, assessing suitability of volunteers for potential roles and keeping records of volunteer activities and performance.

    We may also use your personal information in the following situations, which are likely to be rare:

    • 5.5.Where we need to protect your interests (or someone else's interests), such as in a medical emergency.
    • 5.6.Where it is needed in the public interest.
  6. How we use particularly sensitive personal information

    If we process 'special category' or 'sensitive' personal information, such as information regarding your ethnic origin or political, philosophical and religious beliefs, health or sex life. the we will only do this with your explicit consent; or, to protect your vital interests (or someone else’s interests) when you are not capable of giving your consent; or, where you have already publicised such information; or, where we need to use such sensitive data in connection with a legal claim that we have or may be subject to.

    In particular, with your consent, where it is needed to assess your volunteering capacity on health grounds, subject to appropriate confidentiality safeguards, we will use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work and to provide appropriate workplace adjustments.

  7. If you fail to provide personal information

    If you fail to provide certain information when requested, we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers and volunteers) and we may not be able to process your application to volunteer with us or offer you certain volunteering opportunities.

  8. Change of purpose

    We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is related to the original purpose.

    If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

  • Information about criminal convictions

    We will only collect information about criminal convictions where it is appropriate given the nature of a volunteering role and we are legally permitted to do so. If it is appropriate and legal, this information may be collected as part of the volunteer recruitment process or in the course of volunteering for us, but may also be provided to us directly by you in the course of you volunteering for us.

    We will use information about criminal convictions and offences in the following ways:

    • 9.1.To determine, without discrimination, your suitability for the role;
    • 9.2.To continue to ensure you are still suitable for the role, including by means of continual screenings, where appropriate.

    We collect and process information about criminal convictions for the above purposes relying on one or more of the following lawful grounds: with your consent; or, less commonly, to protect your vital interests (or someone else’s interests) when you are not capable of giving your consent; or, where you have already publicised such information; or, where we need to use such information in connection with a legal claim that we have or may be subject to.

    Processing of information about criminal convictions will be in line with an appropriate policy and safeguards which we are required by law to maintain when processing such information.

  1. Data sharing

    We may have to share your data with third parties as set out in this policy (please see the table at paragraph 3).

    We require third parties to respect the security of your data, use it only for lawful purposes and in in accordance with Data Protection Law.

  2. Transferring information outside the EU

    For financial and technical reasons we may, on occasion decide to use the data hosting or data processing services of a supplier who is based outside the UK and European Economic Area (EEA), which means that your personal information may be transferred to that supplier and processed and stored outside the UK and EEA. This includes countries that are not considered to have the same standards for legal protection of personal information that you enjoy in the UK. We will always take steps to choose highly reputable suppliers, who respect your security and will put in place suitable legal safeguards with that supplier to protect your personal information, so that it is subject to the same privacy standards that you have in the UK.

    If and when this occurs, the supplier is usually based in the USA and we always ensure that they have adopted the EU-US Privacy Shield Framework or are subject to EU-approved contract clauses which offer a mechanism for the non-EU based supplier to comply with EU data protection requirements in respect of your personal information.

    For more information about this (and any safeguards we've taken) please contact the Head of Information Security or the Data Protection Officer.

  3. Data security

    We have put in place appropriate technical and organisational measures to protect the security of your information.

    Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

    We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those volunteers, employees, agents, contractors and other third parties who have a business need to know.

    We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so. Further detail as to how we deal with data breaches can be found in our Data Protection Policy.

  4. Data retention

    How long will you use my information for?

    We will only retain your personal information for as long as necessary to fulfil the purposes  we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

    To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. Personal information that we no longer need will be securely destroyed.

    In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

  5. Rights of access, correction, erasure, and restriction
    • 14.1.Your duty to inform us of changes

    It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your volunteering relationship with us.

    • 14.2.Your rights in connection with personal information

    Under certain circumstances, by law you have the right to:

    1. Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.

     

    1. Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.

     

    1. Request erasure of your personal information. This is also known as ‘the right to be forgotten’ and it enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).

     

    1. Object to processing of your personal information if and where we rely on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.

     

    If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact our Data Protection Officer in writing using the contact details below.

     

    • 14.3.No fee usually required

    You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

    • 14.4.What we may need from you

    We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

    • 14.5.Right to withdraw consent

    In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time.

    Please note, however, that the withdrawal of consent shall not affect the lawfulness of processing based on consent given before its withdrawal.

  6. Data protection officer

    We have appointed a Data Protection Officer (DPO) to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact our DPO at [email protected]

  7. Changes to this privacy policy

We reserve the right to update this privacy policy at any time, and we will provide you with a new privacy policy when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.

If you have any questions about this privacy policy, please contact a member of the Legal Team.