'My Charity Commission Account' privacy notice
Updated 4 July 2023
Applies to England and Wales
© Crown copyright 2023
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/my-charity-commission-account-privacy-notice/my-charity-commission-account-privacy-notice
Scope of this privacy notice
This privacy notice sets out how we process your personal data when you set up and use ‘My Charity Commission Account’ from 31 July 2023.
This privacy notice also explains how a charity’s contact and administrator(s) can process personal data when managing other users’ access to our online services on behalf of the charity.
Please note that it is also up to the charity to provide this information to their users, who can be signposted to this privacy notice.
This privacy notice does not cover personal data processed by the online services accessed via your Charity Commission Accounts. Each of these online services has their own privacy notice:
- Charity annual return privacy notice
- Change charity financial period privacy notice
- Register a charity privacy notice
- Update Charity Details privacy notice
This notice is in addition to our Personal Information Charter, which provides information on how we process personal data at the Charity Commission, and your rights. If you need further information, please contact our Data Protection Officer.
What is ‘My Charity Commission Account’?
‘My Charity Commission Account’ (MCCA) is an online account for relevant individuals (ie trustees, charity contacts and others) to access our online services for their charity. These services include updating charity details, submitting annual returns, and making changes to a governing document, a charity’s name or financial year end. Accounts are unique to each individual, with their own email sign-in and password.
If you work with more than one charity, you will be able to access our online services for each charity from one Charity Commission Account, provided you’ve registered identical personal information, including the same email address, for each.
Your level of access to our online services will depend on your role within, or relationship with, the charity. The different levels of access are as follows.
Full access
Only the charity contact will have full access initially. If you are a charity contact, you will have access to all our online services for that charity. This includes being able to edit trustees’ personal details through ‘Update Charity Details’, which you will access via MCCA. You will be able to edit third-party users’ details on MCCA for their MCCA account, provided that the third-party user is only linked to your charity.
You will be the charity’s primary administrator responsible for activating all individual user accounts as well as managing new account and user access requests for your charity.
You will also be able to grant administrative rights to other users. In this privacy notice, we refer to these users as ‘user administrators’. You can grant one of these administrators the same level of access as a charity contact or primary administrator. In this privacy notice, we refer to these users as ‘super administrators’. Anyone with administrative rights can also activate individual user accounts and grant other users access to our services on behalf of your charity.
Trustee access
If you are a charity trustee, you will have access to all our online services for that charity. You will be able to update and maintain your own personal details in your MCCA account and in our ‘Update Charity Details’ service. However, you will need super administrator rights to view and change the details of other trustees, and either super or user administrative rights to view and change a third-party user’s details (if that user is only linked to your charity).
Third-party access
If you are neither a trustee nor a charity contact but need access to our online services on a charity’s behalf (because you are, for example, a charity employee, volunteer or professional advisor), you can request a Charity Commission Account.
Your account and access to our online services will be managed by the charity’s contact and administrator(s). You will be able to update and maintain your own personal details, but you will need super administrator rights to view and change the details of trustees and either super or user administrator rights to view and change another third-party user’s details (if that user is only linked to your charity).
Find more information on the different levels of access in our My Charity Commission Account guidance.
Personal data the Commission collects and processes through ‘My Charity Commission Account’
We collect and process the following types of personal data for the purpose of enabling individuals to create and use a Charity Commission Account.
| Who the information is about | Categories of personal data |
|---|---|
| Charity contact | Name, date of birth, address, email address, telephone number, role within the charity |
| Trustees | Name, date of birth, address, email address, telephone number, role within the charity |
| Third-party users (for example, employees, volunteers and professional advisers) | Name, email address |
Why we need this information and what happens if it is not provided
‘My Charity Commission Account’ (MCCA) has been created to provide a secure, online way for you to access our online services. These online services allow us to fulfil our functions and objectives as regulator of charities and under the Charities Acts. You can find out more about our functions and objectives in our Personal Information Charter .
The personal data we collect or use via MCCA is the minimum required to enable us (or the charity contact /administrator(s)) to verify who you are and give you access through MCCA.
Without the personal data set out above you will be unable to open a Charity Commission Account.
How we will collect this personal data
The personal data we process in connection with your Charity Commission Account is collected from the following sources.
Directly from you
We collect data directly from you, for example, when you apply to set up and use your account.
The charity(ies) you work with
We collect your personal data from the charity(ies) you are working with via the charity contact or administrator(s), for example, when they are registering a new trustee and/or are creating or managing an account.
The Charity Database
If your personal data is held on our charity database (for example, we hold charity contact and trustee personal data on the database), we will use this data to help verify your identity and ensure your contact details are accurate and up-to-date when you set up a Charity Commission Account. (Please note that this database is not the public Charity Register, although any information on that Charity Register is drawn from this database.)
How we will process this personal data
Authenticating your email address
We will email your registered address to check that it is accurate and active.
Linking accounts
Where possible, we will use your data to automatically link your account to all charities you work with.
Managing access to our online services
Your charity’s contact or administrator will use your personal data to manage your access to our online services on behalf of the charity.
Please note, while you are a trustee of a charity neither the charity contact nor administrators can remove your access to our online services, and you automatically have full access to all the online services available to trustees. You can however choose to delete your own account.
Maintaining information in the Charity Database
If you are a charity contact or trustee, when you first apply to set up a Charity Commission Account, we will use the data that we currently hold for you in our Charity Database. You can update your own data in ‘My Charity Commission Account’ (MCCA) or through the ‘Update Charity Details’ service after signing in through your account. When you update your details, these changes will be reflected on our Charity Database and across all the charities you are linked to.
If you are a trustee for a charity(ies) and have an MCCA account, you can choose to block the charity contact and super administrator for the charity(ies) from accessing your personal details. This will block their access to this information in both MCCA and the ‘Update Charity Details’ service.
As a trustee or a contact, it is your responsibility to ensure that your personal details on the Charity Database are kept up to date and accurate.
Communicating with you
We will notify you by email:
- when you submit a request for access and with the outcome of that request
- when your additional permissions have been changed
- if your personal data is amended
If you are a charity contact or trustee, we will notify you when a new administrator has been appointed or when an administrator has been removed.
Keeping an audit trail
For security purposes, we will keep a record of when you:
- update or amend your data within MCCA account
- edit a third-party’s data or change their access levels
- access an online service and which one you accessed
Sharing information
When you apply to set up a Charity Commission Account, the personal data you provide will be shared with the charity contact and administrator(s) for the purpose of granting and managing your access to our online services.
We will not share data submitted for the sole purpose of creating, accessing and/or managing a Charity Commission Account with anyone else, unless required to do so by law
We will not process any personal data submitted for the sole purpose of creating, accessing and/or managing a Charity Commission Account outside the UK unless required to do so by law. However, depending on where the charity contact, super or user administrators are located, your personal data may be accessed by those individuals outside the UK.
In respect of all other data processed, we may share your personal data:
- where it is necessary for our statutory objectives or functions
- with other government departments, public authorities and regulators
- where we are legally obliged to in response to requests for information, for example pursuant to the Freedom of Information Act, the Environmental Information Regulations, or our common law powers of disclosure
- with third-party processors and service providers
- to a court, tribunal, party or prospective party where the disclosure is necessary to exercise, establish or defend a legal claim
- where we are ordered to by a court or tribunal or where we are otherwise required to do by law
You can find out more information about data sharing and further processing in the Commission’s Personal Information Charter.
The legal basis for processing your personal data
The table below sets out the primary legal bases we rely on for processing data we obtain through ‘My Charity Commission Account’ (MCCA).
However we may process your data further for compatible purposes and/or on other legal bases, further information is available in our Personal Information Charter
‘My Charity Commission Account’ will not process special category data. We acknowledge that we might incidentally collect special category data if such data can be inferred from the information you provide to us when creating and using your account or the information we already hold about you.
| Legal basis for processing | ||
|---|---|---|
| Categories of personal data | Personal Data (Article 6(1) GDPR) | Special categories of personal data/criminal conviction data |
| All personal data set out in the table above | (e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller |
Article 9(2) GDPR (g) Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject Conditions under Part 2 of Schedule 1 of the Data Protection Act 2018: Statutory etc and government purposes; Preventing or detecting unlawful acts; Protecting the public against dishonesty etc; Regulatory requirements relating to unlawful acts and dishonesty etc |
How long will we hold your personal data
We will delete your account and any personal data held only for the purpose of providing you with an account 24 months after the last time you logged into your account.
All personal data held by us for any other purpose will be retained in accordance with our Personal Information Charter.
We will delete all ‘My Charity Commission Account’ audit data after 24 months.
Your rights
You have a number of rights under the UK General Data Protection Regulation (UKGDPR), including the right to access your data, the right to restrict or object to further processing and the right to rectification or erasure of your data.
Our DPO is responsible for monitoring our compliance with data protection legislation and is the point of contact for concerns you may have over how we are processing your personal data, and any incidents you wish to report to us. If you have any concerns, contact our Data Protection Officer:
Data Protection Officer
Charity Commission for England and Wales
PO Box 211
Bootle
L20 7YX
Tel: 0300 066 9197
You also have the right to complain to the Information Commissioner’s Office.
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
You can find out more about your rights in our Personal Information Charter.
The Charity Commission is the controller of the personal data processed by ‘My Charity Commission Account’. The Charity Commission’s contact details are:
Charity Commission for England and Wales
PO Box 211
Bootle
L20 7YX
Tel: 0300 066 9197
Data protection queries can be sent to: DPO@charitycommission.gov.uk