Update charity details privacy notice
Published 8 November 2018
© Crown copyright 2018
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/update-charity-details-privacy-notice/update-charity-details-privacy-notice
This privacy notice explains how we, the Charity Commission, process personal data submitted through the ‘Update Charity Details’ (UCD) service (‘the service’).
This notice is supplemented by our main privacy notice, our Personal information Charter, which provides further information on how we process personal data, and sets out your rights in respect of that personal data.
You should also ensure you are familiar with the ‘My Charity Commission Account’ (MCCA) privacy notice because you can only access the UCD service using your Charity Commission Account.
It is drafted to be as easy to read as possible and does not provide exhaustive detail of every aspect of how we collect or use personal data. If you need further information please contact our Data Protection Officer.
What personal data does the Commission collect through the service?
The service enables charities to update their register particulars. The following register particulars may contain personal data, including special categories of personal data:
| Information about | Categories of personal data | Automatically published on website? |
|---|---|---|
| Charity Public address | Address, telephone number and email address This can be the address of an individual or an office or PO Box address |
Yes |
| The charity | Name and activity description | Yes |
| Charity trustees | Title, legal name, suffix and role | Yes |
| Charity trustees | Date of birth, date of appointment, address and post code, telephone number, email address (or confirmation that the person does not have an email address), date of resignation Trustee details may indicate special category personal data such as religious belief depending on the charity and its governance |
No |
| Charity contact details | Title, name, suffix, date of birth, role, date of appointment, address and post code, telephone number, email address (or confirmation that the person does not have an email address) | No |
| The charity | Bank details | No |
We also collect details of the person using the service, including their name, role at charity, telephone number, and email address.
Why does the Commission ask for this information? What happens if it’s not provided?
In broad terms, we collect information through the service to fulfil our functions and objectives as the regulator of charities and under the Charities Act. You can find out more about our functions and objectives in our main privacy notice.
Information about the charity, charity trustees and public charity contact details
Section 29 of the Charities Act 2011 requires us to keep a register of charities which must contain the name of the charity and other particulars determined by the Commission. The above information comprises register particulars and we are required to collect and process that information by law.
We also collect the above information so we can fulfil our wider functions and objectives as the regulator of charities in England and Wales. For example: publishing the names of trustees and activities of charities promotes public trust and confidence in charities and collecting contact and bank account details allows us to properly investigate allegations of misconduct or mismanagement.
S35(3) of the Charities Act 2011, requires trustees to notify us if there is any change to the particulars entered in the register. If you are a charity trustee and you fail to provide information where there has been such a change, you may be in breach of charity law.
You are also obliged to provide true and accurate information to us. It is an offence under S60 Charities Act 2011 to provide the Commission with information used in the discharge of its functions which is false or misleading
Charity contact details
We collect the contact details for the charity’s designated contact to ensure that we can contact an authorised person within the charity if we require further information while carrying out our functions and objectives.
Information about the person using the service
We collect data about the person using the service because:
- we may need to contact you about your submission if we require any clarification or further information
- we need an auditable record of submissions made on behalf of the charity
- by entering the information you are declaring that you have the authority to do so
- you are obliged to provide true and accurate information to us. It is an offence under S60 Charities Act 2011 to provide the Commission with information used in the discharge of its functions which is false or misleading
These details will be provided via your MCCA login and be automatically populated.
How we process personal data provided through the service
Internal use
Data submitted through the service is transferred into our internal database where it will be stored, reviewed and used by us in line with our statutory functions and objectives. Further information on how we process personal data can be found in our main privacy notice.
We will also use the personal data to verify users when setting up Charity Commission Accounts. Doing this ensures we provide a level of security in ensuring only those that require an account are granted one.
Notification
If the service is used to add or delete an individual or update their details on their behalf, and we hold an email address for that individual, we will email them notifying them of this change.
We will also send a confirmation to the person who made the change. If it was not the charity contact, they will also be notified. Only the names of the individual added or deleted, or whose details were updated will be shared.
Publication
Some information submitted through the service is routinely and automatically made available to the public on our website. Information published in this way is identified in the table above.
In certain circumstances we will withhold information from publication. We refer to this as a ‘dispensation’. Find further information on how dispensations are granted.
Even when we do not publish information submitted through the service or dispensation is granted, it is important to note that current trustee’s details are visible to their charity’s contact and super administrator. This is because dispensation relates to the public display of the trustee’s name only. However, each trustee does have the option to hide their personal data from the charity contact and super administrator of all charities they are a trustee for once they have an MCCA account. A change to these details will update them across each charity for which that person holds an active role.
You should also be aware that we provide extracts of publicly available register data to other organisations who may use it for their own purposes.
Third Party processors
To provide the service, we use data processors who are third parties who provide technology and data services to us. These processors include Azure and Data8. Although your personal data may be transferred to these third parties, we have contracts in place with our data processors which mean that they cannot do anything with your personal information unless we have instructed them to do it.
Sharing of information
As explained above, certain information will be automatically published on our website unless a dispensation is granted.
We may share personal data submitted through the service:
- where it is necessary to share the information in order to further our statutory objectives or functions
- with other Government departments, public authorities, law enforcement agencies and regulators
- in response to requests for information, for example pursuant to the FOIA, the EIR, or our common law powers of disclosure
- with third party processors and service providers
- to a court, tribunal, party or prospective party where the disclosure necessary in order to exercise, establish or defend a legal claim
- where we are ordered to by a court or tribunal or where we are otherwise required to do by law
You can find out more information about data sharing and further processing in our main privacy notice.
The legal basis for processing information
The table below sets out the primary legal bases we rely on for processing data we obtain through the service. However we may process your data further for a compatible purposes and/or on other legal bases, further information is available in our main privacy notice.
| Legal basis for processing | ||
|---|---|---|
| Categories of personal data | Personal Data (Article 6(1) GDPR) | Special categories of personal data/criminal conviction data |
| Identity details Contact details Role details Charity details (see table above) |
Processing for updating register particulars (c) processing is necessary for compliance with a legal obligation to which the controller is subject Other Processing (e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller |
Article 9(2) GDPR (g) Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject Conditions under Part 2 of Schedule 1 of the Data Protection Act 2018: Statutory etc and government purposes; Preventing or detecting unlawful acts; Protecting the public against dishonesty etc; Regulatory requirements relating to unlawful acts and dishonesty etc. |
We may process your personal data on more than one basis depending upon the purpose for which we are using your data. Please email us at RIGA@charitycommission.gov.uk if you need details about the specific legal basis we are relying on to process your personal data.
Retention
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. For Register Particulars, the data is retained for 10 years from the date of removal from the Register.
Audit data relating to activity using your MCCA account, including accessing this service, is retained for two years.
It is important to note that in certain circumstances we retain personal data received in connection with a particular charity even after a person’s involvement with a charity has ended and after the charity is no longer registered.
Your rights
You have a number of rights under the General Data Protection Regulation (GDPR), including the right to access your data and the right to restrict or object to further processing and the right to complain to the Information Commissioner’s Office. You can find out more about your rights as a data subject, and details of how to contact our Data Protection Officer and the Information Commissioner’s Office (ICO), in our main privacy notice.