Guidance

Charity annual return privacy notice

Published 20 August 2018

Applies to England and Wales

This privacy notice explains how the Charity Commission processes personal data when a charity uses the annual return service, including uploading its accounts and the trustees’ annual report (‘the service’).

This notice is supplemented by our main privacy notice which provides further information on how the Charity Commission processes personal data, and sets out your rights in respect of that personal data.

It is drafted to be as easy to read as possible and does not provide exhaustive detail of every aspect of how we process or use personal data. If you need further information please contact our Data Protection Officer.

Personal data the Charity Commission processes through the service

Information about	Categories of personal data	Automatically published on website
Person submitting the annual return	Personal data will be collected via ‘My Charity Commission Account’, including: • Name • Email address When submitting the Annual Return, the user will be presented with the above provided details. This data will be used to contact the charity if necessary.	No
	Personal data will be collected via AR23 service, including: • Telephone number	No
Charity details	Public address (if applicable) If a private address is provided here, it will be published.	Yes
	HQ administrative address (if applicable)	No
Charity Trustees	Trustee Payments Trustee details may indicate special category personal data such as religious belief depending on the charity and its governance	Yes
Employees	Salary band in increments of: • £10,000 if salaries are between £60,000 or • £150,000, or • £50,000 if salaries are between £150,001 and £500,000 • Over £500,000 (only if total emoluments exceed £60,000/£70,000 for the reporting period)	Yes
Individuals referred to in the accounts and trustees’ annual report	Any personal data contained within those documents. Examples include details of: • Name • Payments made or received, (eg as trustees, donors or beneficiaries) • Employment (published only if the total number of employees is 3 or more) • Benefits package • Goods and services provided • Property • Donations • Volunteering • Beneficiaries • Details about auditor/independent examiner There may be photos and copies of signatures in addition to text.	Yes

Why the Charity Commission asks for this information and what happens if it’s not provided

In broad terms, the Charity Commission collects information through the service in order to fulfil its functions and objectives as regulator of Charities and under the Charities Acts. You can find out more about our functions and objectives in our main privacy notice.

However, sections 163 to 169 Charities Act 2011 legally require charities with and income of over £10,000 and all CIOs to submit certain information to the Charity Commission.  As a result the Charity Commission is required by law to collect and process this information. If you are a charity trustee and you fail to provide the required information to the Charity Commission within the timeframe set out in the Charities Act 2011 you may be in breach of charity law and your legal duties as a charity trustee.

The Charities SORP (Statement of Recommended Practice FRS102) and the Charities (Accounts and Reports) Regulations 2008 require certain personal data to be provided. Anything over and above the required disclosures in SORP are at the Trustee’s discretion.

Personal data of the person using the annual return service

If you are the person completing the service we need your personal data because:

• we may need to contact you about your submission if we require any clarification or further information
• we need a record of the individual submitting the annual return on behalf of the charity
• by entering the service you are declaring that you have the authority to access the charity account

you make the declaration that to the best of your knowledge the information provided is not false or misleading in any significant way. It is a criminal offence to knowingly or recklessly provide the Charity Commission with information which is false and misleading in any significant way. For these reasons, if you do not provide the contact information we need we will not be able to process your request. Contact information is collected as you access the Annual Return digital service through your My Commission Account log on with additional information [phone number] collected prior to completing the return.

How the Charity Commission processes personal data provided through the service

Personal data provided prior to submission

Personal data inputted through the service via a part-completed Annual Return, which is saved but not submitted is stored for 6 months before being deleted.

Personal data submitted through the service (including accounts and annual reports)

On submission:

• data submitted through the service is transferred into the Charity Commission’s internal database where it will be stored, reviewed and used by the Charity Commission in furtherance of its statutory functions and objectives – further information on how we process personal data can be found in our main privacy notice
• the accounts and trustee annual report of charities are published on the Charity Commission’s website in full
• both the user and/or the Charity Commission charity contact will be sent an email notifying them that the annual return has been submitted

You will need to take particular care if you are including personal data about children, adults at risk, special category personal data or your charity’s trustees have a dispensation from including their name in the accounts.

Third party processors

In order to provide the service, we use data processors who are third parties, such as Azure Digital Services, who provide technology and data services to us. Although your personal data may be shared with these third parties, we have contracts in place with our data processors which mean that they cannot do anything with your personal information unless we have instructed them to do it.

Sharing of information

As explained above, certain information will be made public unless a dispensation is granted.

We may share personal data submitted through the service:

• where it is necessary to share the information in order to further our statutory objectives or functions
• with other government departments, public authorities, law enforcement agencies and regulators where this is necessary in the public interest
• in response to requests for information, for example pursuant to the Freedom of Information Act (FOIA), the Environmental Information Regulations (EIR), or our common law powers of disclosure but only if it is compatible with data protection legislation to do so
• with third party processors and service providers, such as Azure Digital Services
• to a court, tribunal, party or prospective party where the disclosure necessary in order to exercise, establish or defend a legal claim
• where we are ordered to by a court or tribunal or where we are otherwise required to do by law

You can find out more information about data sharing and further processing in the Commission’s main privacy notice.

How long we will hold your personal data.

The Commission will process personal data submitted through the Annual Returns Service for as long as is necessary to fulfil its statutory obligations under the Charities Act.

We have a legal obligation to allow the public to inspect the accounts of all registered charities for a limited time.  We satisfy this requirement by publishing the latest 5-years of annual return and accounts records (where available) via the Public Register of Charities.  This means any personal data contained within these records will be publicly available for up to 5-years, even if an individual is no longer involved with that charity.

The legal basis for processing your personal data.

The table below sets out the primary legal bases we rely on for processing data we obtain through the service. However we may process your data further for a compatible purposes and/or on other legal bases, further information is available in our main privacy notice.

Legal basis for processing
Personal Data (Article 6(1) GDPR)	Sensitive personal data/criminal conviction data
(c) processing is necessary for compliance with a legal obligation to which the controller is subject (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;	Article 9(2) GDPR (g) Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject Conditions under Part 2 of Schedule 1 of the Data Protection Act 2018: • Statutory etc and government purposes; • Protecting the public against dishonesty etc; • Regulatory requirements relating to unlawful acts and dishonesty etc.

The table sets out the legal basis on which we process this information.

Your rights

You have a number of rights under the UK General Data Protection Regulation (GDPR), including the right to access your data and the right to restrict or object to further processing and the right to complain to the Information Commissioner’s Office.

You can find out more about your rights as a data subject, and details of how to contact our Data Protection Officer and the Information Commissioner’s Office (ICO), in our main privacy notice.