Privacy Policy
Under the Data Protection Act 1998 and the General Data Protection Regulation 2016 the Charity has duties in terms of what personal data can be collected and how that data is processed and stored. These procedures have been developed to ensure that the Charity fulfils these statutory duties and protects the personal data of those with whom the Charity may have contact.
Note: These procedures apply to personal data collected for and on behalf of the Charity.
1 Data Protection Policy
1.1 Definitions
Data Controller means Nepal Leprosy Trust (UK) (hereby referred to as NLT UK).
Data Protection Officer means a living individual with responsibility to ensure that data protection procedures are in place and to monitor compliance. In the case of NLT UK the Data Protection Officer is the General Manager.
Data Subject means a living individual.
Legislation means statutory requirements including the General Data Protection Regulation.
Personal data means information relating to a Data Subject who can be identified from that data (or from that data plus other information in the Data Controller's possession). Personal information can be factual (such as a name, address or date of birth) or it can be an opinion (such as a performance appraisal) or a statement of intention about the Data Subject. This can be information held in electronic format or in certain kinds of paper records or in manual filing systems.
1.2 Duties of NLT UK
NLT UK has duties under Legislation in what personal data can be collected and how that data is processed and stored. NLT UK will ensure that:
• Processing will be fair and lawful and carried out with appropriate legal grounds;
• Processing will be for limited purposes;
• Processing will be adequate, relevant and not excessive;
• As far as reasonably practicable personal information will be up-to-date;
• Personal information will not be held longer than is necessary or appropriate;
• Personal data will be processed in accordance with the Data Subject's rights;
• Processing will be carried out securely;
• Ensure that personal data is not transferred to a country or territory outside of the
European Economic Area (EEA) unless that country or territory provides an ‘adequate’
level of protection for the processing of individuals’ personal data.
1.3 Rights of the Data Subject
The Data Subject has rights relating to the processing of their personal data under Legislation:
• They have the right of access to a copy of their personal data;
• They have the right to correct any mistakes in their personal data;
• They have the right to restrict or prevent their personal data being processed for direct marketing purposes and in certain other limited circumstances;
• They have the right to erasure – subject to certain conditions;
• They have the right to take proceedings through the civil courts against the Data Controller for compensation where they have suffered serious damage or distress as a result of the processing of their personal data;
• They have the right to complain to the Information Commissioner's Office (ico.org.uk) if they believe that NLT UK has not handled their personal data in accordance with data protection law.
1.4 Policy Statement
NLT UK will process personal data only with consent of the Data Subject and for the limited purposes described at the time of collection.
NLT UK will take all reasonable steps to ensure that any personal data held is accurate and up to date.
NLT UK will remove personal data when it is no longer required for the consented purpose or where the Data Subject has indicated in writing that they withdraw consent.
NLT UK will not unreasonably refuse a Data Subject’s access to their personal data.
NLT UK will not pass, or allow to be passed, personal data to third parties without the consent of the Data Subject except where required by law.
As is usual for charities and businesses NLT UK may need to disclose information to a third party if required by law (for example to government bodies and law enforcement agencies), including for the purposes of investigating a complaint, or if NLT UK has the data subject’s permission to do so.
Like most charities and businesses NLT UK relies on a number of third-party providers to support its day-to-day operations, for example in areas such as online file storage and email delivery. It may also hire third parties to operate, maintain or improve its website and other digital services.
Some of these service providers will by necessity have access to or be directly involved in processing or storing a subset of the personal information shared with us.
All NLT UK’s third-party data processors have been carefully chosen as service suppliers who also practice responsible data handling. NLT UK believes that each has in place appropriate protections to ensure the security of the data it stores or processes with them and have clear policies for how they treat that data.
1.5 Our Legal Bases for Processing
NLT UK will collect and process information about the data subject only where we have a legal basis for doing so. Additional information is provided below but in general terms it will only collect and use information where:
- It is necessary for NLT UK to provide the data subject with a service that it understands the data subjects wants us to provide (for example, keeping the data subject informed about NLT UK activities, facilitating a visit to Nepal).
- It satisfies a legitimate interest, which is not overridden by the data subject’s data protection interests.
- The data subject has given NLT UK consent to do so for a specific purpose.
- NLT UK needs to process data to comply with a legal obligation.
In cases where the data subject has consented to the use of their personal information for a specific purpose, they have the right to change their mind at any time. Where NLT UK is using information because it has a legitimate interest to do so, the data subject has the right to object to that use.
NLT UK requires consent from the Data Subject to process personal data where the Data Subject can be identified by that data.
Legislation allows NLT UK to process general contact details as this information can be regarded as being in NLT UK’s legitimate interest. Explicit consent will normally be sought when data is collected.
Consent is required to process personal data from all Data Subjects 16 years of age or over, or from their power of attorney. Consent from a parent or guardian is required to process the personal data for Data Subjects under 16 years of age.
2 Data Collection
2.1 Data Collection Forms
Data collection and consent forms shall generally be used to collect personal data.
Where required forms shall be developed for specific purposes and these forms shall request only the information necessary for the specific purpose.
Data collection and consent forms will be either in paper or electronic format.
2.2 Cookies and Website links
The NLT UK website uses cookies in order to function better and give users a better experience. A cookie acceptance pop-up will appear, with a link to explain which cookies are used. The data subject can control what cookies their web browser will accept and store through their browser settings.
The NLT UK website and emails contain a number of links to third party sites. These external sites are governed by their own privacy policies and NLT UK does not accept any responsibility or liability for these policies. It also cannot be responsible for personal information that third parties may collect, store and use through their website. The inclusion of a link to an external source should not be understood to be an endorsement of that website, its owners or their products/services. The data subject should always check the individual privacy policies of these external sites before submitting any personal data through them.
3 Data Processing
3.1 Types of Data Processed
Data is primarily collected and processed to enable NLT UK to communicate with its supporters. Types of personal data processed include, but are not limited to:
• General contact details to enable NLT UK to communicate with supporters about NLT UK events, activities and news.
• Contact and other details as part of the overseas visit application process for people wishing to visit the NLT projects in Nepal. This will include emergency contact, marital status, date of birth, passport, references and work/study history
• Contact details and employee details such as National Insurance Number, date of birth, and bank details, to enable NLT UK to fulfil its obligations as an employer.
• Disclosure and Barring Service (DBS) and self-declaration details where safeguarding issues are involved
3.2 Processing Policy
General contact details of supporters shall be entered into the NLT UK contact database with consent and may include name, address, telephone number, and email address. These are used for sending the quarterly newsletter and the monthly prayer letter and other occasional mailings which are only sent (by post or by email) to people who have requested them. A supporter’s personal data can be removed from the database at any time at the request of the supporter.
Short term visitor application details are co-ordinated by the General Manager and will be held on the NLT UK General Manager’s computer and on a paper file copy kept in the office safe. The data subject’s details will only be kept while the visit application is live and then for six months beyond that, when it is clear that there is no further contact required. Where a visit takes place, the basic visitor contact details will be added to the NLT UK contact database with consent, so that newsletters, etc, can be sent out to continue the connection with the visitor. Data Subject applications that did not result in a visit will be deleted from any computer containing them and removed from the paper file where present.
Personal data related to specific short term activities or events shall be retained only for the period of the activity or event except that contact details may be retained where consent has been given.
For employees, the data subject's details shall be passed with their consent, to the third party firm responsible for payroll. In addition their contact, emergency contact, marital status, date of birth and right to work status shall be entered into NLT UK’s employee database. This will normally be held on the computer belonging to the treasurer of NLT UK. This data will be held as long as the Data Subject continues to be an employee or as long as statutory requirements demand.
All computers used by NLT UK are password protected, and back-up drives are also password protected.
3.3 Retention of Data Collection Forms
Until the Data Subject's personal data has been processed in line with the processing policy the data collection and consent form shall be treated as a Paper Record retained in accordance with section 3.5 below.
Once the Data Subject's personal data has been processed the data collection and consent form shall be destroyed as soon as reasonably practicable and certainly within one month.
All reasonable care shall be taken to ensure that the Data Subject's personal data contained upon the form cannot be identified from the destroyed form.
3.4 Electronic Records
Electronic personal data records shall be held on a computer at the NLT UK office.
The personal data shall be stored within a database behind a password protected account. Personal data shall only be accessed by NLT UK personnel authorised to do so.
3.5 Paper Records
Electronic data format is preferrable, but where personal data is recorded in a paper format, including data collection and consent forms, it will generally be stored within a locked cabinet, cupboard or drawer.
Access to the locked storage shall be available only to authorised NLT UK personnel.
All reasonable care shall be taken to ensure that where personal data is to be retained for a short duration it is kept in a secure manner.
3.6 Periodic Review
All personal data shall be reviewed periodically to ensure that data is being used only for the consented purposes, and that data that is no longer required is removed. For general contact details this will normally be carried out annually. For other purposes shorter durations may be required.
Personal information must not held be longer than is necessary, nor used for any purpose other than that consented.
4 Protection of Personal Data
4.1 Access to Personal Data
Access to personal data shall be limited as described in sections 3.4 and 3.5; except where a Data Subject has requested access to their own data as described in section 5.1.
4.2 NLT UK Contact Database
The contact database is held on a password protected computer and shall not be made available to anyone outside of NLT UK.
Every effort will be made to ensure that the data held on the NLT UK contact database is up to date. When asked by a Data Subject to remove their personal data from the database, NLT UK will do so as soon as reasonable possible.
If details are not up to date and require amending, or if the data subject would like information removed from the NLT UK contact database, please contact NLT UK on: 020 8940 1200 or email: info@nlt.org.uk, and it will endeavour to make changes as quickly as possible.
4.3 Email
When sending out bulk newsletters, prayer letters, or other communications by email, NLT UK personnel will take every precaution to ensure that supporters are contacted only via the “blind copy” (BCC) function to ensure that supporter email addresses are not visible to other supporters.
When responding to, or forwarding, emails, NLT UK personnel will take care not to use the “reply all” function without ensuring that the sharing of email addresses will not contravene the data protection requirements. Generally the email “TO” and “CC” facility will only be used where small groups are communicating in a group email session, especially where there is a need to ensure addressees are aware of to whom the email has been sent.
When replying to or forwarding an email, all reasonable care shall be taken to minimise inadvertent sharing of email addresses by removing any unnecessary email addresses.
Note: NLT UK will avoid using 'Reply to All' unless there is a need to reply to all. Instructions about how to ‘unsubscribe’ from NLT UK’s lists will be included in every bulk emailing.
When NLT UK is sent an email, either to one of the addresses displayed on its website or an individual member of staff, it will collect you’re the data subject’s address and any other information provided within the email.
‘Eclipse’ (owned by KCOM Group) is NLT UK’s email service provider, so any emails sent to it might be stored on ‘Eclipse’ servers.
The information provided by a data subject to NLT UK will only be processed in relation to the purpose for which the data was provided. NLT UK has no fixed retention period for email correspondence, but is committed to storing data for no longer than is necessary to serve its legitimate interests of record keeping or to perform a service or contract it has entered into with the data subject.
4.4 Third Parties
NLT UK will not pass, or allow to be passed, personal data to third parties without the consent of the Data Subject except where required by law.
5 Data Subject Access, Amendment and Complaint
5.1 Access to Personal Data
The Data Subject has the right of access to a copy of their personal data.
In order to access a copy of their personal data the Data Subject shall submit a ‘Subject Access Request’ in writing to the Data Protection Officer.
The Data Protection Officer shall provide a response to the Data Subject as soon as is reasonably practicable and certainly within one month of receipt of the request.
Note: The one month time limit is a statutory requirement of the General Data Protection Regulation 2016.
5.2 Amendment to Personal Data
The Data Subject has the right to correct any mistakes in their personal data and has the right to erasure (subject to certain conditions).
In order to correct any mistakes in their personal data the Data Subject shall provide details of the correction in writing to the NLT UK Data Administrator.
Any request for removal of personal data shall be made in writing to the NLT UK Data Administrator.
The amendment, whether correction or removal, shall be made by the Data Administrator as soon as is reasonably practicable, following receipt of the request.
5.3 Concerns and Complaints
NLT UK will endeavour to meet the highest standards when collecting and using personal information. For this reason, it will take any complaints it receives about this seriously and will encourage individuals to bring it to its attention if they think that the collection or use of information is unfair, misleading or inappropriate. NLT UK will welcome any suggestions for improving its procedures.
To exercise all relevant rights, queries or complaints, in the first instance please contact our Data Protection officer at: info@nlt.org.uk. All reasonable concerns shall be investigated by the Data Protection Officer and a response provided to the person raising the concern as soon as is reasonably practicable and certainly within one month of receipt of the request.
If this does not resolve the complaint to the complainant’s satisfaction, the complainant has the right to lodge a complaint with the Information Commissioner’s Office at: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom (on 03031231113 or via its website: ico.org.uk).
5.4 Personal Data Breaches
A breach is considered any loss, alteration, unauthorised disclosure of, or access to, personal data. NLT UK is committed to disclosing any personal data breaches that might adversely affect a data subject’s rights and freedoms without undue delay so that they can take appropriate action. Any notifiable breaches will also be reported to the UK’s Information Commissioner’s Office within 72 hrs. This includes breaches affecting the third party services identified in this privacy policy, where personal data is being held on NLT UK’s behalf.
5.5 Questions & Access Requests
The General Data Protection Regulation (GDPR) gives a data subject the right to know what personal data NLT UK holds about them, to have it updated if it is inaccurate, or removed entirely if the data subject no longer consents to NLT UK’s use of it. NLT UK will endeavour to respond to any such requests within one month confirming receipt and outlining what follow-up actions will be taken and when.
NLT UK also welcomes questions about its Data Protection Policy and these, or any access requests, should be directed to its Data Protection Officer at: info@nlt.org.uk
Nepal Leprosy Trust
10A The Vineyard Richmond TW10 6AQ United Kingdom.
Policy Changes
Any updates NLT UK may make to its Data Protection Policy in the future will be published on its website.
If NLT UK wishes to use personal data for a new purpose not covered by this Policy, then it will provide relevant data subjects with a new notice explaining this new use prior to commencing the processing, setting out the relevant purposes and processing conditions.
Please check regularly to keep informed of updates to this Data Protection Policy as data subjects will be deemed to have accepted any changes if they continue to use NLT UK’s website after an update has been posted.
NLT’s Privacy Policy was last updated in May 2019