Report a serious incident in your charity privacy notice
Updated 15 July 2019
© Crown copyright 2019
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/report-a-serious-incident-in-your-charity-privacy-notice/report-a-serious-incident-in-your-charity-privacy-notice
This privacy notice explains how the Charity Commission processes personal data when you report a serious incident using our online form or template for bulk reporting (“the forms”).
This notice is supplemented by our main privacy notice which provides further information on how the Charity Commission processes personal data, and sets out your rights in respect of that personal data.
Personal data the Commission collects through the forms
| Information about | Categories of personal data | Automatically published on website |
|---|---|---|
| Person submitting the serious incident report | Name Connection to charity Telephone number Email address |
No |
| Disqualified trustees | Name Date of birth Address Reason for disqualification |
No |
| The charity’s contact at any other agency/regulator to which the incident has been reported | Name Contact details |
No |
| Individuals referred to the report of a serious incident | Any personal data contained within the report. Examples include details of: •Name •Gender •Age •Contact details •Physical characteristics •Employment •Benefits package •Payments made or received (e.g. as donors or beneficiaries) •Goods and services provided •Property •Criminal conviction and offences data including the alleged commission of offences •Racial or ethnic origin •Political opinions •Religious or philosophical beliefs •Trade union membership •Genetic or biometric data •Data concerning health •Data concerning a person’s sex life or sexual orientation •Other information which enables a living individual to be identified |
No |
Why the Commission asks for this information and what happens if it’s not provided
In broad terms, the Commission collects information through the forms in order to fulfil its functions and objectives as regulator of charities and under the Charities Acts. You can find out more about our functions and objectives in our main privacy notice.
Specifically, the Commission collects information through the forms to enable it to:
- ensure trustees are complying with their duties: by reporting a serious incident, you show that you have identified a risk to the charity that has materialised, and that the trustees are taking appropriate action to deal with it
- provide regulatory advice or guidance or use its statutory powers: timely reporting allows the Commission to identify problems in charities at an early stage and, where appropriate, to provide regulatory advice and guidance to trustees. In the most serious cases the Commission may need to use its statutory powers in order to protect the charity and put it back on track
- assess the risk to other charities: serious incident reporting helps the Commission measure the volume and impact of incidents within charities, to identify trends and to understand the risks facing the sector as a whole. This insight helps the Commission to warn charities about risks and give trustees the information and tools they need to succeed
The Commission only specifically asks you to provide the following personal data when the forms:
- your name, telephone number, email address and your connection with the charity so that we can contact you for clarification or further information if required (we also need a record of the person submitting the report on behalf of the charity)
- the name, date of birth and address of any trustees of the charity who are disqualified and the reason for disqualification so that we can verify the information, assess any risks to other charities and determine whether any regulatory action is required
- where you have reported the serious incident to another regulator/agency, the name and contact details of your contact at that regulator/agency so that we can contact them for more information if required and, in some cases, coordinate our response
The forms do not otherwise require you to provide any of your or another person’s personal data unless an incident cannot be reported without you doing so. The Commission anticipates that a report could include any category of personal data. If you do need to provide personal data, the Commission asks that you limit the personal data provided to the minimum amount necessary to submit your report.
If the Commission considers it necessary to have additional information we will contact you.
If you do not provide the contact information we need we will not be able to process your report.
How the Commission processes personal data provided through the forms
Personal data submitted through the forms
On submission:
- data submitted through the form is transferred into the Charity Commission’s internal database where it will be stored, reviewed and used by the Commission in furtherance of its statutory functions and objectives - further information on how we process personal data can be found in our main privacy notice
- the person who submits an online form will be sent an email notifying them that the serious incident report has been submitted
Third party processors
In order to provide the online form we use a third party data processor, which provides technology and data services to us. Although your personal data will be held by this third party, we have a contract in place which means that they and their subcontractors cannot do anything with your personal information unless we have instructed them to do it.
Sharing of information
We may share personal data submitted through the form:
- where it is necessary to share the information in order to further our statutory objectives or functions
- with other government departments, public authorities, law enforcement agencies and regulators
- with other third parties (for example, a bank, charity trustees, other stakeholders) where we consider it necessary in order to further our statutory objectives or functions
- internationally where such a transfer is necessary for important reasons of public interest or otherwise necessary for the establishment, exercise or defence of legal claims
- in response to requests for information, for example pursuant to the Freedom of Information Act (FOIA), the Environmental Information Regulations (EIR), or our common law powers of disclosure
- with third party processors and service providers
- to a court, tribunal, party or prospective party where the disclosure necessary in order to exercise, establish or defend a legal claim
- where we are ordered to by a court or tribunal or where we are otherwise required to do by law
We may also in limited cases publish the information, for example, if a serious incident report requires the Commission to take regulatory action or if we consider it necessary to issue a press release.
You can find out more detailed information about how we share data and further processing in the Commission’s main privacy notice.
The legal basis for processing your personal data
The table below sets out the primary legal bases we rely on for processing data we obtain through the forms. However, we may process your data further for a compatible purpose and/or on other legal bases - further information about this is available in our main privacy notice.
| Legal basis for processing | |
|---|---|
| Personal Data (Article 6(1) GDPR) | Sensitive personal data/criminal conviction data |
| (c) processing is necessary for compliance with a legal obligation to which the controller is subject (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; |
Article 9(2) GDPR (g) Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject Conditions under Part 2 of Schedule 1 of the Data Protection Act 2018: •Statutory etc and government purposes; : •Preventing or detecting unlawful acts; : • Protecting the public against dishonesty etc; : •Regulatory requirements relating to unlawful acts and dishonesty etc |
How long we will hold your personal data
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
It is important to note that in certain circumstances we retain personal data received in connection with a particular charity even after a person’s involvement with a charity has ended and after the charity is no longer registered.
Your rights
You have a number of rights under the General Data Protection Regulation (GDPR), including the right to access your data and the right to restrict or object to further processing and the right to complain to the Information Commissioner’s Office.
You can find out more about your rights as a data subject, and details of how to contact our Data Protection Officer and the Information Commissioner’s Office (ICO), in our main privacy notice.