Guidance

Charity Commission whistleblowing privacy notice

Published 31 January 2020

This privacy notice explains how the Charity Commission processes your personal data when you contact us as a whistleblower.

This notice is supplemented by our main privacy notice which provides further information on how the Charity Commission processes personal data, and sets out your rights in respect of that personal data.

Personal information we collect when you provide information to us as a whistleblower

When you raise your concerns with us we ask for your:

  • identity details
  • contact details
  • details of your connection to a charity
  • the contact at any other agency/regulator to which the incident has been reported

We also ask for information about your concern and its impact. Your response may include the personal data of others, or you may provide the personal data of others within the report you submit.

Why we ask for this information and what happens if it’s not provided

In broad terms, the Commission collects information in order to fulfil its functions and objectives as the regulator of charities and under the Charities Acts. You can find out more about our functions and objectives in our main privacy notice.

Specifically, the Commission asks for this information to enable it to:

  • ensure trustees are complying with their duties: by raising your concerns, you may be identifying a risk to the charity that the Commission will need to discuss with the trustees
  • provide regulatory advice or guidance or use its statutory powers: receiving whistle-blowing reports allow the Commission to identify problems in charities at an early stage and, where appropriate, to provide regulatory advice and guidance to trustees. In the most serious cases the Commission may need to use its statutory powers in order to protect the charity and put it back on track
  • assess the risk to other charities: receiving whistleblowing reports can help the Commission measure the volume and impact of incidents within charities, to identify trends and to understand the risks facing the sector as a whole. This insight helps the Commission to warn charities about risks and give trustees the information and tools they need to succeed

The Commission only specifically asks you to provide the following personal data when you contact us:

  • your name, telephone number, email address, and your connection with the charity. This is so that we can contact you for clarification or further information if required
  • where you have reported the serious incident to another regulator/agency, the name and contact details of your contact at that regulator/agency so that we can contact them for more information if required and, in some cases, coordinate our response

We do not otherwise require you to provide any of your or another person’s personal data unless an incident cannot be reported without you doing so. The Commission anticipates that a report could include any category of personal data. If you do need to provide personal data, the Commission asks that you limit the personal data provided to the minimum amount necessary to submit your report.

If the Commission considers it necessary to have additional information we will contact you.

If you do not provide contact details we will not be able to discuss this further with you.

How we will process your personal data

Whistle-blowing reports are submitted to a specific Charity Commission email address. They are logged and stored in our case management system while they are progressed. An automated email will notify you that the email has been received. It will then be initially triaged by our Assessment and Compliance team who will contact you or may be passed to different areas of the business (depending on the nature of the information we receive) who will respond directly to you.

Sharing information

If you have asked that we treat your information in confidence and not let others know that you have approached us we will do so wherever possible. However, there may be some occasions when we need to share personal data. This may occur:

  • where it is necessary to share the information in order to further our statutory objectives or functions
  • with other government departments, public authorities, law enforcement agencies and regulators but only where we consider it necessary in order to further our statutory objectives or functions
  • with other third parties (for example, a bank) but only where we consider it necessary in order to further our statutory objectives or functions
  • to a court, tribunal, party or prospective party where the disclosure is necessary in order to exercise, establish or defend a legal claim
  • where we are ordered to by a court or tribunal or where we are otherwise required to do by law

You can find out more detailed information about how we share data and further processing in the Commission’s main privacy notice.

How long we will hold your personal data

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Please note that in certain circumstances we retain personal data received in connection with a particular charity even after a person’s involvement with a charity has ended and after the charity is no longer registered.

The legal basis on which we process this information when we receive a request is set out below. We may further process your data for a compatible purpose, and more information is available in our main privacy notice.

Categories of Personal Data:

  • identity details
  • contact Details

Personal Data (Article 6(1) GDPR):

  • (c) processing is necessary for compliance with a legal obligation to which the controller is subject
  • (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Special Category data/criminal conviction data:

Article 9(2) GDPR - (g) Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject

Conditions under Part 2 of Schedule 1 of the Data Protection Act 2018:

  • statutory etc and government purposes;
  • preventing or detecting unlawful acts;
  • protecting the public against dishonesty etc;
  • regulatory requirements relating to unlawful acts and dishonesty etc

Your rights

You have a number of rights under the General Data Protection Regulation (GDPR), including the right to access your data and the right to restrict or object to further processing and the right to complain to the Information Commissioner’s Office (ICO).

You can find out more about your rights as a data subject, and details of how to contact our Data Protection Officer and the ICO, in our main privacy notice.