Charity annual return privacy notice
Published 20 August 2018
Applies to England and Wales
© Crown copyright 2018
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/charity-annual-return-privacy-notice/charity-annual-return-privacy-notice
This privacy notice explains how the Charity Commission processes personal data when a charity uses the annual return service, including uploading its accounts and the trustees’ annual report (‘the service’).
This notice is supplemented by our main privacy notice which provides further information on how the Charity Commission processes personal data, and sets out your rights in respect of that personal data.
It is drafted to be as easy to read as possible and does not provide exhaustive detail of every aspect of how we collect or use personal data. If you need further information please contact our Data Protection Officer.
Personal data the Commission collects through the service
| Information about | Categories of personal data | Automatically published on website |
|---|---|---|
| Person submitting annual return | Name Role within/relationship to charity Telephone number Email address |
No |
| Charity Trustees | Name Trustee benefits Trustee details may indicate special category personal data such as religious belief depending on the charity and its governance |
Not as part of AR18 service Yes |
| Employees | Name Role Salary band in increments of: • £10,000 if salaries are between £60,000 or £150,000, or • £50,000 if salaries are between £150,001 and £500,000 (only if total emoluments exceed £60,000/€70,000 for the reporting period) |
No No Yes |
| Individuals referred to in the accounts and trustees’ annual report | Any personal data contained within those documents Examples include details of: • Name • Payments made or received, (eg as donors or beneficiaries) • Employment • Benefits package • Goods and services provided • Property • Donations • Volunteering • Beneficiaries • Details about auditor/independent examiner There may be photos and copies of signatures in addition to text |
Yes |
Why the Commission asks for this information and what happens if it’s not provided
In broad terms, the Commission collects information through the service in order to fulfil its functions and objectives as regulator of Charities and under the Charities Acts. You can find out more about our functions and objectives in our main privacy notice.
However, sections 163 to 169 Charities Act 2011 impose specific obligations on Charity trustees to submit information to the Commission. In consequence the Commission is required by law to collect and process such information, and if you are a charity trustee and you fail to provide information in breach of those provisions you may be in breach of charity law.
Personal data of the person using the 2018 and 2019 annual return service
If you are the person completing the service we need your personal data because:
- we may need to contact you about your submission if we require any clarification or further information
- we need a record of the individual submitting the annual return on behalf of the charity
- by entering the service you are declaring that you have the authority to access the charity account
- when you provide us with information you are obliged to comply with section 60 Charities Act 2011 which means that it is an offence to provide the Commission with information used in the discharge of its functions which is false or misleading
Providing these details allows us to ensure that this is complied with. If you do not provide the contact information we need we will not be able to process your request.
How the Commission processes personal data provided through the service
Personal data provided prior to submission
Data inputted through the service but not submitted is stored for 90 days before being deleted.
Personal data submitted through the service (including accounts and annual reports)
On submission:
- data submitted through the service is transferred into the Charity Commission’s internal database where it will be stored, reviewed and used by the Commission in furtherance of its statutory functions and objectives - further information on how we process personal data can be found in our main privacy notice
- the accounts and trustee annual report of charities are published on the Commission’s website in full
- both the user and the commission charity contact will be sent an email notifying them that the annual return has been submitted
You will therefore need to ensure that only information which can be publicly displayed is included in the accounts and trustee annual report. You will need to take particular care if you are including personal data about children, adults at risk, special category personal data or your charity’s trustees have a dispensation from including their name in the accounts.
Third party processors
In order to provide the service we use data processors who are third parties who provide technology and data services to us. These processors include Amazon Web Services. Although your personal data may be transferred to these third parties, we have contracts in place with our data processors which mean that they cannot do anything with your personal information unless we have instructed them to do it.
Sharing of information
As explained above, certain information will be made public unless a dispensation is granted.
We may share personal data submitted through the service:
- where it is necessary to share the information in order to further our statutory objectives or functions
- with other government departments, public authorities, law enforcement agencies and regulators
- in response to requests for information, for example pursuant to the Freedom of Information Act (FOIA), the Environmental Information Regulations (EIR), or our common law powers of disclosure
- with third party processors and service providers
- to a court, tribunal, party or prospective party where the disclosure necessary in order to exercise, establish or defend a legal claim
- where we are ordered to by a court or tribunal or where we are otherwise required to do by law
You can find out more information about data sharing and further processing in the Commission’s main privacy notice.
How long we will hold your personal data
The Commission routinely deletes personal data submitted through the service 7 years after it is submitted. However, it may be necessary to retain personal data for longer, for example if we are conducting an investigation into the charity at the end of the 7 year period.
Whilst we hold the data we are under a legal obligation to allow the public to inspect the accounts for a charity. This means that personal data will be publicly available even if the charity is removed from the Register or after you are no longer involved with the charity.
The legal basis for processing your personal data
The table below sets out the primary legal bases we rely on for processing data we obtain through the service. However we may process your data further for a compatible purposes and/or on other legal bases, further information is available in our main privacy notice.
The table sets out the legal basis on which we process this information.
| Legal basis for processing | |
|---|---|
| Personal Data (Article 6(1) GDPR) | Sensitive personal data/criminal conviction data |
| (c) processing is necessary for compliance with a legal obligation to which the controller is subject (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; |
Article 9(2) GDPR (g) Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject Conditions under Part 2 of Schedule 1 of the Data Protection Act 2018: • Statutory etc and government purposes; • Protecting the public against dishonesty etc; • Regulatory requirements relating to unlawful acts and dishonesty etc. |
Your rights
You have a number of rights under the General Data Protection Regulation (GDPR), including the right to access your data and the right to restrict or object to further processing and the right to complain to the Information Commissioner’s Office.
You can find out more about your rights as a data subject, and details of how to contact our Data Protection Officer and the Information Commissioner’s Office (ICO), in our main privacy notice.