As a public serving charity EDM is committed to providing an efficient and responsive service to anyone EDM has interaction with including the general public and Fire & Rescue Service. To deliver our stated aims and objectives there is a certain amount of personal data required to assist and allow EDM to operate within its charitable parameters.
This Privacy Notice has therefore been designed to demonstrate EDM’s commitment to protecting and respecting personal data and to ensure compliance with the European Union General Data Protection Regulation (“GDPR”).
What data do we collect?
In order to carry out our aims and objectives some personal data will be obtained including, but not limited to, names, addresses, mobile phone numbers, email addresses, dates of birth (e.g. of employees and trustees), bank account details (of employees), CVs, performance reviews, DBS checks, NI & tax reference numbers of employees, training records & contracts of employment.
Sensitive personal data
Sensitive personal data (referred to as special category data in the GDPR) includes information about an individual that reveals his/her racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health and sexual life and/or data relating to criminal convictions and offences.
We may from time to time process sensitive personal data for the following reasons:
- in relation to the recruitment of new trustees (e.g. data relating to criminal convictions and offences);
- in relation to the employment of staff (e.g. data relating to trade union membership and criminal convictions and offences);
- during the process of recruiting specialist advisors and third party experts (e.g. data relating to criminal convictions and offences); and
- for the purpose of providing assistance to victims of fire, flood or other incident in fulfilment of EDM’s charitable objects (e.g. data relating to a person’s health).
Where and how do we collect it?
Personal information is mainly gained from the specific individual to whom the personal data applies. However we also use other (publicly available) sources where applicable i.e. the government Land Registry portal and details held by Companies House.
For what purpose?
The reason for acquiring individual victim personal data is to assist and facilitate EDM personnel to carry out our stated aims and objectives as published on the Charity Commission website.
In addition, trustees, staff and volunteer data is also collected, along with appropriatedata relating to third parties with whom EDM contracts for the purposes of delivering its stated aims (i.e. advisors and third party experts) for the following purposes:
- recruitment,
- payroll,
- performance assessments,
- DBS checks,
- development of individual capability and training,
- to protect EDM and its employees,
- to deliver performance and outcome,
- to provide feedback as required, and
- to arrange invoice payment to contractors.
Who has access to the data?
EDM trustees and management are the only people who have full access to such personal data. Advisors (including professional advisors) and third party experts have limited access to personal data.
How is it shared internally/stored?
All personal data is stored on Microsoft cloud.
How does EDM keep data secure?
All personal data is input electronically and is password protected. Any paper based data is destroyed as soon as it has been stored electronically.
Who do we share data with?
The data EDM collects is used to either respond to a specific request for a support service arranged by EDM, for example making a property secure following a house fire, or following explicit agreement from the data owner to arrange for a third party to provide further specialist advice or action and explore a potential ongoing support service. EDM will also provide relevant information/feedback to the Fire Rescue Service. Such sharing of information is done on a reactive ‘emergency’ basis to assist EDM in carrying out its charitable function. PLEASE NOTE NO PERSONAL OR CORPORATE DATA IS USED FOR FUND RAISING PURPOSES, SHARED OR SOLD FOR MARKETING, PROMOTIONAL OR OTHER FINANCIAL ACTIVITIES.
How/when do we delete it?
All information is stored long enough to allow EDM to carry out its charitable function, provide feedback and management oversight to ensure the compliant operation of EDM within the Charity Commission operational guidelines, following which it shall be deleted.
Longer retention periods may be appropriate where, for example, specific legal or public interest archival reasons apply.
Any personal details can be removed upon request by the specific individual.
Lawful basis for processing data
EDM is not only aware of the importance of protecting and respecting personal data but also the requirement for there to be a lawful basis for processing data. We ensure we process all personal data lawfully, fairly and in a transparent manner.
Data relating to trustees, employees, specialist advisors and third party experts
The main lawful grounds for processing data in relation to the above individuals are:
- that processing is necessary to perform a contract with the individual; and/or
- the processing is necessary for EDM to comply with its legal obligations; and/or
- the processing is necessary for the legitimate interests of EDM; and/or
- an individual has consented to the processing in question.
Data relating to beneficiaries of EDM
The main lawful grounds for processing data in relation to beneficiaries of EDM (or in other words victims of fire, flood etc) are: ‘Consent’ and ‘Legitimate interests’.
Consent
If someone has suffered a fire to their home and a fire officer asks if the individual would like some assistance from EDM and they agree to be contacted then the individual will be deemed to have given his/her consent for the receipt and processing of his/data for these purposes until the individual states otherwise. However, we will ensure that explicit consent is obtained from an individual in relation to the receipt/processing by EDM of information relating to his/her health or any other personal sensitive data.
Legitimate interests
If someone has suffered a fire to their home and EDM have received a request to arrange for the property to be made secure by the fire service in the event the occupants are not present, perhaps due to relocation to hospital as a result of smoke inhalation, EDM would have a legitimate interest to receive/process personal data to carry out its functions and secure the occupant’s property while/he she is absent.
Lawful basis for processing sensitive personal data
Where we process sensitive personal data, other lawful processing grounds may apply. It is anticipated that in most cases we will rely on having obtained an individual’s explicit consent. (Please also see the paragraph above under the heading “Consent” in this regard).
Your rights in relation to your information
Personal data is protected in the UK pursuant to the GDPR (and any implementing legislation and any legislation or regulations that supersede this). EDM takes its obligations under the GDPR seriously, including the requirement that any personal data we use and process must be collected for a specified and legitimate purpose, must be accurate and kept up to date, and we must ensure the security of your personal data is maintained, including against accidental loss and unauthorised access.
Individuals also have various rights under the GDPR in relation to their personal data, including the following:
- rights to access, correct, erase, restrict or object to personal data being used by EDM;
- the right to data portability, which allows individuals to obtain and reuse their personal data for their own purposes across different services;
- the right to withdraw consent to EDM using their personal data; and the right to make a complaint with the data protection authority in the UK (the Information Commissioner’s Office – https://ico.org.uk/).
If you want to exercise any of these rights, please contact us at edmenquiries@edmsupport.org. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month.