Privacy Policy
This Policy tells you how Fairshare Educational Foundation (ShareAction) processes and protects your personal data. We aim to be clear when we collect your data, let you know what we will use it for and keep it secure.
When providing us with your details you accept this privacy policy and authorise ShareAction to collect, store and process your personal data in the ways mentioned in this policy and for the purposes you have given it to us.
If you would like more information or have any questions, please email us at info@shareaction.org or call us on 0207 403 7800.
What personal data is collected?
We may collect personal information about you when:
· You sign up to our mailing list(s),
· You make a one-off donation or sign up to donate regularly,
· You sign up to attend one of our events,
· You become involved in one of our campaigns,
· You fill out a survey or quiz we send you,
· You contribute content to us, such as an article, podcast or interview,
· You apply for a paid or volunteering role with us.
The information we collect may include, among other details, your name, address, email address, telephone number, pension provider, responsible investment issues of particular interest to you, your involvement in ShareAction campaigns or activities, information as to whether you are a taxpayer, your employer or organisations in our network that you are affiliated to.
We may also collect information about you from publicly available sources from places like Companies House or information published in newspapers.
If you make a donation, we will collect the details necessary to process this payment e.g. bank account details to set up a Direct Debit and ask for consent to use your contact details to send you updates on our campaigns and occasional appeals. We do not store credit or debit card details and when making an online donation your payment details are processed by secure verified third-party payment providers.
We will not collect sensitive personal information or information classified as a special category unless there is a clear reason as to why we need it. We will only collect this with your consent, and we will give clear notices so that you know why we need this data and how long we will keep it for.
Profiling
We might use profiling or screening methods to ensure that communications are relevant to you and we do this by using data that you provide us with, data from publicly available sources, and data that is processed automatically through the systems we use (for example, whether you have previously opened emails from us). Profiling also allows us to understand more about people that support us which helps us to make appropriate requests for involvement in our campaigns and fundraising appeals. We may use geographic and demographic information to build a profile. Under the Data Protection Act 2018, you have the right to obtain an explanation of any profiling decisions we have made and challenge these decisions.
Cookies
Cookies are tiny files that are downloaded to your computer to improve your website viewing experience. By using our website you agree to our use of cookies and you can read more about how we use cookies in our Cookie Policy.
Our website may include links to third-party websites. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements or the content contained on them.
Why is this data collected?
How we use your personal data will depend on the reason you are providing it and we will make the reason clear when we collect the data. We will mainly use your data to:
· Provide you with services or information that you have asked for, such as sending you a newsletter, inviting you to training, or sending you more information about our campaigns.
· Keep you informed about our campaigns and movement and respond to questions you may have.
· Process your donation, including processing any Gift Aid declaration.
· Invite you to events we think might be of interest to you.
· Invite you to participate in our campaigns.
· Invite you to participate in developing content for us such as articles, podcasts, or interviews.
· Keep a record of how you prefer to be contacted.
· Keep a record of your relationship with us.
· Understand how we can improve our services, products and the information we provide.
· Develop a better understanding of our supporters to help us make better decisions in order to deliver our mission.
· Aggregate information for confidential reporting to project partners (see the Third Parties section below for more information on how your data is shared with project partners).
Our legal basis for processing personal data
The legal basis for processing your data depends on the reasons and circumstances we are collecting it.
Our legal basis for processing most personal data is that you have given us your consent to do so. You have the right to withdraw your consent for holding and processing your data and can do so by emailing us at info@shareaction.org or calling us on 020 7403 7800.
In some circumstances, the processing is necessary for the performance of a contract with you or necessary for us to comply with a legal obligation.
Legitimate Interests
Sometimes the legal basis for processing your data may be because it is in our legitimate interests to perform our operations. Before doing this, we will complete a legitimate interest assessment to carefully consider and balance any potential impact on you and your rights. We will not process any data if there is any risk of harm or potential conflict with your interests. Some examples of where we have a legitimate interest in processing data are:
· Managing our ongoing relationships with our professional contacts.
· Researching new professional contacts at companies, investors and other NGOs that may be interested in our campaigns.
· Using networking sites like LinkedIn to reach out to professional contacts who we think may be interested in our work.
· Managing our financial transactions and preventing fraud.
How is my data protected?
We take good care to ensure that the information we store on our database is kept secure in order to prevent unauthorised access and comply with the Data Protection Act 2018. Our devices are encrypted and staff that work with data have received appropriate training.
Third parties
We will never sell or lease your personal information, and will only disclose it to third parties if we have an appropriate lawful basis to do so.
Service providers
Like most organisations, we use trusted service providers to help our operations to be more efficient. Where these providers are located outside of the EEA, we have taken steps to ensure that these services have appropriate security measures in order to protect your information and remain compliant with the GDPR. All providers we use are well renowned for their data security and have the appropriate technical controls and policies in place to protect your personal details.
1. Salesforce
All the personal data mentioned is stored in and processed through our Salesforce database. The purpose of this processing is to deliver our services and charitable objectives. The data is processed in the USA. Salesforce has received approval from European data protection authorities for its Binding Corporate Rules ("Salesforce Processor BCR"). For more details and to view the BCR, click here.
2. Engaging Networks
Personal information is stored within the Engaging Networks platform for the purpose of communications and newsletters to supporters, stakeholders and other interested parties. The data is processed in Canada. Engaging Networks’ service is subject to legal requirements outlined in the GDPR, their full data protection policy can be accessed here.
3. Microsoft and Office 365 Suite
Office 365 with OneDrive and SharePoint allows people to store, share and work together on content. It is a cloud-based “Software as a Service” platform that includes the transmission of customer data across the Internet to and from Microsoft’s cloud infrastructure and the storage and processing of customer data on Microsoft’s cloud infrastructure. Full details on privacy, compliance and a GDPR overview can be read here.
Project Partners
We work with other charities and NGOs on some of our campaigns to share knowledge and resources. We will never share personal information with them without your explicit and informed permission but we may aggregate information in order to share statistical information needed for analysis. We will not include any details that could identify a specific individual.
How can I access, update or ask ShareAction to stop using my personal information?
If your details change, or for any reason the details we hold about you appear to be inaccurate, please let us know and we will update them on our system.
You can also change your mind at any time about the ways in which we contact you or withdraw your consent for us to process your data. You can do this by emailing unsubscribe@shareaction.org or calling us on 0207 4037 800. Most emails we send you will include a link you can click on to unsubscribe from that particular type of communication.
How long we store information
We have a data retention policy of five years, if you have not engaged with us via our communications or any other means within a five-year period, we will remove your details from our database.
If you tell us that you no longer would like us to contact you, we will keep limited amounts of information (usually just your name and email address) to ensure you do not receive communications from us in the future – we will not use it for any other purpose. In certain circumstances, you also have the right to have your personal data erased from our databases completely and you can ask us to do this at any time. Legally, we are required to hold some types of information to fulfil our statutory obligations. Details needed to claim Gift Aid is one example of this.
We regularly monitor your engagement with our communications and will periodically send emails to ask if you still wish to receive updates about ShareAction’s work. We will continue to hold your personal data while you are actively engaged with us until you ask us not to.
If we are processing your data on the basis of consent, we will store your data for five years after your last interaction with us, such as a donation or campaign action. We will stop contacting you after five years. If this happens and you want to start hearing from us again you can tell us using the methods above.
Subject access requests
To make a subject access request, or ‘DSAR’ for a copy of all the personal data we hold about you, please email us at enquiries@shareaction.org. We will not charge you for dealing with your request and will provide your personal data within one month of receipt unless it is a complex request.
Making a complaint
If you have any concerns about our use of your personal information, you can make a complaint to us by emailing enquiries@shareaction.org.
You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address:
Information Commissioner’s Office Wycliffe House, Water Lane Wilmslow Cheshire, SK9 5AF
Helpline number: 0303 123 1113
Governance, Review and Responsibility Levels
This Policy is set by the Finance, Audit Risk & Controls Committee (the FARC Committee), which also has oversight of its implementation.
This Policy is to be reviewed every two years to ensure it remains efficient and effective in its purpose. The Senior Technology and Information Manager, with the support of the Director of Finance and Operations, will draft an updated version of the Policy to be reviewed, discussed, and approved at a relevant meeting of the FARC Committee.
The following identifies who at ShareAction is Responsible, Accountable, Consulted or Informed with regard to this Policy.
Responsible: Senior Technology & Information Manager
Accountable: Chief Operating Officer
Consulted and Approved by: FARC Committee
Informed: All staff, volunteers and contractors
The following definitions apply:
· Responsible –person(s) responsible for developing and implementing the policy.
· Accountable – person who has ultimate accountability and authority for the policy.
· Consulted – person(/s)/groups to be consulted prior to policy implementation or amendment.
· Informed – the person(s)/groups to be informed after policy implementation or amendment
Procedure Sign-off and Version History
Review Process - Previous Version: FARC Committee, 2 September 2022
Operational Date - Previous Version: 7 September 2022
Review Process – Current Version: FARC Committee, 17 October March 2024
Operational Date - Current Version: 18 October 2024
Next Review Period: 4Q 2026
Version History: V4
Prepared by: Senior Technology & Information Manager
Copyright
You are welcome to use any text written by ShareAction, especially to join us in the campaign for Responsible Investment. However we do require that you fully source any material you use, crediting ShareAction. For further details please contact us.