At the Cart Shed, we believe that being involved in nature has benefits for everyone.
Woodland Sites
Privacy Policy
Full Privacy Notice for The Cart Shed Charity
Your personal data is defined as any information that can directly or indirectly identify you. This Privacy Notice explains when and why we collect personal information about you, how we use it and the conditions under which we may disclose it to others. This notice also explains how we keep your data safe and secure and includes information you need to know about your rights and how to exercise them.
If you have any questions regarding our Privacy Notice and our use of your personal data or would like to exercise any of your rights, please get in touch via the following means:
Email us: info@thecartshed.co.uk
Telephone us: 01544 318231 / 07552 872749
If you are unhappy with the way we process your data, please get in touch by using one of the contacts above. You can also make a complaint to the Information Commissioner’s Office (ICO) which regulates the use of information in the UK. They can be contacted by:
Telephone 0303 123 1113
Write to the ICO: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Online via www.ico.org.uk/concerns
Table of Contents
1.Who are we?
2.Personal data collected, how and why we collect it, and on what lawful basis
3.Fundraising and Marketing Communications
4.Your Rights
5.Transferring your information outside of the United Kingdom
6.Changes to our Privacy Notice
APPENDIX 1 – Human Resources
How and when do we collect information about you?
What types of information is collected about you and who provides it
How is the information used?
Lawful basis for processing
How long do we keep your data
Confidentiality - who do we share your data with?
APPENDIX 2 – Service Users
How we collect information about you?
How is your information used?
Lawful basis for processing
How long do we keep your data for?
Confidentiality, data sharing and safeguarding
APPENDIX 3 – Fundraising
Information collected and why - who provides it, data retention and lawful basis
How long do we keep your data for?
Confidentiality - who do we share your data with
APPENDIX 4 – Website visitors and cookies
Website Cookies
Social Media
Links to other websites
1 - Who are we?
We are The Cart Shed, and for the purposes of UK Data ii Law we are registered with the ICO under registration number ZA206672.
We work with adults and young people experiencing mental health difficulties or with those of us who have emotional imbalances in our lives.
Our registered address in Norton Canon, Herefordshire, HR4 8QN, and we refer to ourselves as TCS in this privacy notice.
2.Personal data collected, how and why we collect it, and on what lawful basis Appendix 1 – Human Resources
Appendix 2 – Service Users
Appendix 3 – Fundraising
Appendix 4 – Website visitors and cookies
3.Fundraising and Marketing Communications
Your contact details may be used to provide you with information about our services or our fundraising opportunities via:
●Post - We may use our Legitimate Interest to send you fundraising or marketing communications by post. If you prefer not to hear from us this way, please get in touch by using any of the contact details listed at the top of this notice.
●Phone - If you have provided us with your telephone number or email address, we may contact you by phone with fundraising and marketing communication under our legitimate interest (unless you told us not to do so).
●Email, text or other electronic message - We will only send you fundraising and marketing communications by email, text or other electronic message if you have provided your consent or if you have been involved in a transaction with us. You may opt-out of our fundraising and marketing communications at any time by letting us know by using any of the contact details listed at the top of this notice.
4.Your Rights.
Under data protection laws in the UK and EU, you have certain rights over the personal information that we hold about you. If you would like to exercise your rights, please get in contact using any of the contact details listed above.
Here is a summary of the rights we think apply:
a)Right to be Informed - You have the right to be informed as to how we use your data and under what lawful basis we carry out any processing of it. This Privacy Notice sets this information out but if you would like further information, please get in touch.
b)Right of Erasure – also known as the right to be forgotten. You may ask us to delete some or all of your information we hold about you. Sometimes where we have a legal obligation we cannot erase your personal data.
c)Right to Object - You have the right to object to any processing where we are using your personal information
d)Inaccurate personal information corrected - Inaccurate or incomplete information we hold about you can be corrected. The accuracy of your information is important to us and we are working on ways to make this easier for you to review and correct the information that we hold about you. If any of your information is out of date or if you are unsure it is accurate, please get in touch through any of the contact details listed in this notice.
e)Right of restriction - You have a right to restrict the processing of some or all of your personal information if there is a disagreement about its accuracy, or we are not lawfully allowed to use it.
f)Right to Access your information - You have a right to request access to a copy of any personal information that we hold about you, along with information on what personal information we use, why we use it, who we share it with, how long we keep it for and whenever it has been used for automated decision making. You can make a request for access free of charge and proof of identity is required.
g)Automated decision making - Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. You have the right to question the outcome of automated decisions that may create legal effects or create a similar significant impact on you. TCS does not use automated decision-making.
h)Portability - You can ask us to provide you or a third party with some of the personal information that we hold about you.
i)Right to withdraw consent - Where you have provided consent to our use of your data, you also have the right to withdraw that consent at any time. This means that we will stop processing your data.
5.Transferring your information outside of the United Kingdom
Where personal data is stored outside of the UK and the EEA, safeguards to protect personal data may include (but are not limited to) the UK Addendum used in conjunction with the EU Standard Contractual Clauses (SCCs), or UK International Data Transfer Agreement (IDTAs). Such safeguards will be subject to Transfer Risk Assessments (TRAs).
6.Changes to our Privacy Notice
This privacy notice is kept under regular review. If we make any significant changes to the way in which we process your information, we’ll make the required changes to this Privacy Notice and will notify you so that you can raise any concerns or objections with us.When making less impactful changes, we’ll update this notice and post a summary of the changes on our website.
This privacy notice was last updated in July 2024.
APPENDIX 1 – Human Resources
Freelancers, job applicants and current and former employees, trustees and volunteers
How and when do we collect information about you?
You provide several pieces of data to us directly during the recruitment period and subsequently upon the start of your employment/engagement. We also legitimately collect data about you from third parties, such as employment agencies or former employers when gathering references.
What types of information is collected about you and who provides it?
We keep several categories of personal data on our employees/freelancers/job applicants/trustees and volunteers in order to carry out effective and efficient processes. We keep this data in a personnel file relating to each individual and we also hold the data within our computer systems, for example, our holiday booking system. Specifically, depending on your type of engagement with The Card Shed, we may process the following types of data:
a)personal details such as name, address, phone numbers
b)name and contact details of your next of kin
c)your photograph, your gender, marital status
d)footage of the organisation events where you may appear
e)information of any disability or other medical information you have disclosed
f)right to work documentation
g)information gathered via the recruitment process such as that included in a CV, cover letter or application form, references from former employers, details on your education and employment history etc
h)National Insurance number, bank account details and tax codes
i)information relating to your employment with us (e.g job title, job description, salary, terms and condition of the contract, annual leave records, appraisal and performance indication, formal and informal proceedings involving you such as letters of concern and disciplinary, disciplinary and grievance proceedings.
j)internal and external training modules undertaken
k)information on time off from work including sickness absence, family related leave etc
l)IT equipment use including telephones and internet access
m)your biography and picture for the website (if applicable).
We may also process special category of data which include health information, sexual orientation, race, ethnic origin, political opinion, religion, trade union membership, genetic and biometric data. We may also process criminal records information if the role involves DBS check.
How is the information used?
We are required to use your personal data for various legal and practical purposes for the administration of your contract of employment or your volunteer/trustee agreement, without which we would be unable to employ you. Holding your personal data enables us to meet various administrative tasks, legal obligation or contractual/agreement obligations. We process information in relation to the DBS for our safe recruitment practices.
Lawful basis for processing
We mainly use ‘contractual obligation’ as a lawful basis for processing personal data for employees, job applicants and freelancers. We mainly use ‘legitimate interest’ for trustees and volunteers. We may also have legal obligation in order to process and share your data - for example we need to share salary information to HRMC or use some of your data to enrol a new employee on a pension scheme.
We may rely on our legitimate interest for processing activity such as keeping supervision and appraisal records; using your image, bio and videos/pictures of the organisations’ events where you may appear on our website or marketing/fundraising materials to promote the charity.
Some special categories of personal data, such as information about health or medical conditions, is processed in order to carry out employment law obligations (such as those in relation to colleagues with disabilities and for health and safety purposes). We may also process other special categories of personal data, such as information about ethnic origin, sexual orientation, health or religion or belief for the purposes of equal opportunities monitoring.
When processing criminal records in order to perform DBS check, the organisation relies on the lawful basis of legitimate interest. When processing special category of data and criminal records, we rely on additional conditions of the UK GDPR and DPA 2018.
How long do we keep your data?
We only keep your data for as long as we need it, which will be at least for the duration of your employment/engagement with us though in some cases we will keep your data for a period of 6 years after your employment/engagement has ended. If you’ve applied for a vacancy or volunteering role but your application hasn’t been successful, we will keep your data only for 12 months. Some data retention periods are set by the law. Retention periods can vary depending on why we need your data. Please get in touch by contacting us using the details above if you want to know more about retention period. Data is destroyed or deleted in a secure manner as soon as the retention date has passed.
Confidentiality - who do we share your data with?Data in relation to your salary is shared with HRMC as part of our legal obligation. Data may be shared with third parties for the following reasons: for the administration of payroll, pension, HR functions. When sharing information with third parties, we have data sharing, processor agreements or contracts in place to ensure data is not compromised. Third parties must implement appropriate technical and organisational measures to ensure the security of your data.2.APPENDIX 2 – Service UsersHow we collect information about you?Information provided by the referrer during the assessment processes may be: name, data of birth, gender, contact details, health conditions, contacts of health professionals and other support agencies, GP’s, behavioural information, life background, risk, benefits, emergency contactInformation provided by you during the engagement phase: Case studies, photographs, filming (for which consent is obtained), evidence of attendance, footage of events for marketing and communication.The information collected may include special category of data which include health information, sexual orientation, race, ethnic origin, political opinion, religion, education, entitlement to benefits. They may also contain criminal records information. How is your information used?We may use your personal information to ●Carry out a thorough assessment of your needs;●Provide an appropriate service which best meets your needs;●Provide progress reports to funders;●Claim payments from the funders;●Monitor and manage risk;●Protect yourself and the general public;●Safeguarding;●Collate anonymised or pseudonymised statistical information for funders, the charity and delivery partnersLawful basis for processingWe rely on legitimate interest as our lawful basis for processing your personal data. When we process special category of data and criminal records, the lawful basis is supported by additional conditions of the law. How long do we keep your data for?We retain the personal data of all service users only as long as we need it to fulfil our purposes and our legitimate interests. After this time, personal data will be reviewed and securely destroyed. Information relating to individuals who are referred to us who do not, for whatever reason, progress into one of our services will have their personal data retained for a period no longer than necessary for organisation.Confidentiality, data sharing and safeguarding: ●We may use legitimate interest to share your personal data with the delivery partners in order to provide you with a quality service which best suits your needs. ●Each organisation acts as individual data controller of your personal information and you should read their privacy notice in addition to this one. Third parties act as data processors and for that reason they will process your data on our behalf. ●Personal data are not shared with funders, unless it is a condition of the funding. ●To comply with our duty of care and safeguarding, we may need to pass some information raising safeguarding concern with the authorities. In such circumstances, we apply vital interest and legitimate interest as our lawful basis. Data subjects’ rights and other UK GDPR provisions may be restricted when concerning personal data processed in these circumstances. Exceptions and exemptions are applied on a case by case basis. 3.APPENDIX 3 – Fundraising Information collected and why, who provides it, data retention and lawful basisWhen you make a donationInformation is provided by you via a donation form on our website or via third party donation platforms (e.g KindLink). The information gathered may be: name, email address, Gift Aid sign up, company name if donation made by an organisation, donation details, reasons to engage, postal address This information allows us to process your donation, and deal with any potential enquiry. We rely on our legitimate interest to process this data. If you agree that we can claim Gift Aid on your donations we are legally required to keep a record of the claim and your Gift Aid declaration. If you are donating using a third party, please also refer to the privacy notice published on their websites. When you sign up to our fundraising eventInformation is mainly provided by you via our website forms, via third party platforms (e.g FormAssembly, Eventbrite,) or in person during the events by paper forms. The information gathered may be: name, email address, company name if applicable, donation/payment details, reasons to engage, postal address, email address contact preference.This information allows us to administer your sign up, process payments, and deal with any potential enquiry. We rely on the legitimate interest to process this data. During these types of events, we may also take photographs and video recording of people attending where you may be included. This information allows us to showcase our work and have an effective external communication. We rely on our legitimate interest to process this data. If you are signing up to an event using a third party, please also refer to the privacy notice published on their websites. When you show interest in supporting us (e.g through a gift in your will or a pledge) and you decide to contact usInformation is provided mainly by yourself, via online forms or phone/email conversation with us. The information gathered may be: occupation, title, details of any correspondence had with ourselves, date of birth, fundraising appeals responses, event participations with us, details of your reasons to engage with us This information allows us deal with your enquiry and show you how to get engaged. We rely on our legitimate interest to process this data. How long do we keep your data for?We keep your data as long as necessary. If you’ve made a donation, showed interest in supporting us or participated in our events we may keep your data for 10 years. If you are a regular donor, we may keep your data for 10 years once you’ve stopped engaging with us. Data is destroyed or deleted in a secure manner as soon as the retention date has passed. If you wish to know more about our data retention, please contact us using the details above. Confidentiality - who do we share your data with? Please rest assured that we will never sell your details to any third party. In addition, if we ever need to send data to a third party for processing for the purposes of legitimate interests (for example checking against the Telephone Preference Service, updating our records and prospect researching from publicly available sources such as the electoral roll) we will make sure the company we use has signed a data processing agreement with us or other contractual obligations, so that they are bound to take care of your data in the same way we do. We may also share personal information with external auditors, e.g. the Charities Commission or for the audit of our accounts.We may disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.If you have made a Gift Aid declaration, we may disclose the information you have provided as part of the declaration to HMRC for the purpose of reclaiming gift aid on your donation(s). We may share or disclose your personal information if we are required to do so by any law, regulation or court order.4.APPENDIX 4 – Website visitors and cookiesWebsite CookiesFor more information about our website cookies, please refer to our Cookies Policy online.Social Media When you interact with us on social media platforms such as Facebook, we may obtain information about you (for example, when you publicly tag us in an event photo). The information we receive will depend on the privacy preferences you have set on those types of platforms. Please review the privacy notice of those platforms, in addition to this one. Links to other websitesOur website may contain links to other websites of interest. Once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy policy. You should exercise caution and look at the privacy policy applicable to the website in question.