IPPF Data & Information Privacy Notice
Data & Information Privacy Notice Summary
From 25th May 2018 the EU GDPR (General Data Protection Regulation) becomes law. Most organizations operating within the EU that process personal information are required to be compliant with these regulations. The GDPR also applies to organizations outside the EU that process the personal information of individuals within the EU. (See section: ‘What constitutes Personal Data under GDPR’)
Organizations based in the EU that transfer personal data outside the EU are required to ensure that data is protected to GDPR standards either through legally binding agreements, binding corporate rules, GDPR compliant data protection clauses or approved code of conduct/certification mechanisms.
The IPPF is absolutely committed to protecting your personal information and being transparent about what information we hold. We treat the security of this information extremely seriously, including helping you understand how and why we process this information and what your rights are related to this information.
This Privacy Notice explains the types of personal data the IPPF may collect about you when you contact us via email, phone, social media, write to us, register with us, request information or services from us or kindly donate to us. It also explains other reasons we may collect personal data directly, share data or receive data. It explains how we store and process that data, and ensure it is secure.
This Notice also describes how the IPPF will make use of any personal data we handle in relation to individuals who contact us, subscribe, donate and other sources of personal data we may have been provided. It describes your data protection rights, including a right to object to or opt out of some of the processing we perform. More information about your rights, and how to exercise them, is set out in the “What rights do I have?” section.
This Privacy Notice may occasionally be updated. The IPPF will communicate any significant changes or changes that may require your interaction on its website or by contacting you if you have agreed to that contact.
Explaining the legal basis for handling personal data
The EU GDPR on data protection details various reasons the IPPF may collect and process personal data. This includes:
In specific situations, we can collect and process your data with your consent, for example when you tick a box to receive IPPF news, updates and information.
In certain circumstances, we need your personal data to comply with and act on any contractual obligations, for example if you work or volunteer for the IPPF we require certain information as part of your contract of employment or agreement.
If the law requires us to, we may need to collect and process your data, for example we may pass on details of people involved in fraud or other criminal activity affecting the IPPF to appropriate law enforcement authorities.
In some scenarios we may use your data to pursue our legitimate interests in a way which might reasonably be expected as part of running the IPPF and which does not materially impact your rights, freedom or interests, for example to notify you of a link to a new source of information in your stated fields of interest, to investigate issues or problems with our web site or services, to administer and protect our business, troubleshooting and retaining your contact information until you request to opt out.
When do the IPPF collect your data
- When you visit any of our websites and register your contact details to receive information or register your support;
- When you engage with us on social media
- When you download anything from our sites
- When you contact us by any means with queries, complaints, requests or provide us with information;
- When you request information or services about the IPPF via any associated organization;
- When you complete any surveys or questionnaires for us;
- When you comment on or review our services;
- When you apply for a job, contract, consultancy or volunteer for us;
- When you have given any third-party permission to share information they hold about you;
- When you book any appointment with us or book to attend an event organized by us;
- When you use IPPF premises that have CCTV systems. These systems may record your image during your visit;
- When you kindly donate to us and register your details;
- When you apply to or enter into any professional or voluntary contract with us to provide goods or services, send us information on goods and services, contracts, proposals, bids or any other business-related documentation that may contain personal information.
What personal data do we collect
We collect and process personal data from a variety of sources and reasons for doing so. This can include one or more of the following:
- Copies of documents you provide to prove your age or identity where the law or contract requires this. (Including your passport, Visa, driver's license). This will include details of your full name, address, date of birth and facial image. If you provide a passport, the data will also include your place of birth, gender and nationality.
- Details of your interactions with us via telephone, online or by using one of our applications or services;
- Your passport, National Insurance details and Visa where we have to check your eligibility or ability to work for us;
- Your payment and/or bank account details, where you provide these as an employee, contractor, consultant, volunteer or donor;
- Your medical conditions or disability, where you provide this to us with your consent to ensure we are aware of any support we may need to provide to you (i.e. Occupational Health, employee records, Insurance)
- Your CV, Resume, references, portfolio, presentations, case studies, academic and professional certificates or qualifications
- Details for life insurance, health plans, emergencies, next of kin, alternate contact details (Phone numbers, email and postal addresses)
- Employee records including your gender, sex, race, beliefs, orientation, health (weight, height, disabilities) for medical, safeguarding, equal opportunities and other anti-discriminatory recording and reporting requirements;
- Your contact details i.e. email address, mobile number when you register to receive information or services;
- Where activity, event and security logs may be kept and used for security and equipment performance monitoring and alerting purposes;
- Where any personal information (i.e. contact details) appear on any business-related documentation such as contracts, proposals, bids, invoices, correspondence, project plans, marketing / information sheets;
- Note: The IPPF does not collect personal information from cookies or services such as Google Analytics – for more information please see the sections on ‘Cookies’ and ‘Google Analytics’.
How the IPPF uses your data
- The IPPF uses your personal data to manage and administer contact lists of registered individuals to keep them up to date with news, events and information from the IPPF and applicable sources of interest;
- Amongst the data we collect from you may be financial (Bank) information. We will only hold this where you have given consent, for example regular donations;
- If you decide to change or withdraw the way we use your data you can easily do so – please refer to the section titled ‘What Rights Do I Have?’
- Please remember, if you choose to withhold certain personal information or refuse to be contacted we may not be able to provide certain services you have requested.
How the IPPF protects your data
The IPPF considers all matters pertaining to the Security of its data, systems and services to be of the highest priority, particularly the security of personal, confidential or classified data belonging to individuals and third parties who have entrusted IPPF with their information;
The IPPF are actively engaged in ensuring the Confidentiality, Integrity and Availability of its Information Technology systems, applications and data;
Personal, Confidential or sensitive information is subject to evolving security programs of work that seek to ensure ‘Better than’ commercial best practice protection is implemented and maintained;
Data Retention and Deletion (How long do we keep your data and when do we securely delete it)
The IPPF will only keep personal data for as long as is required and only for the purpose it was collected. Once that period has expired, or for example you have requested to be removed from our contact databases, we will ensure all your information is deleted as there will be no legal or contractual reason to retain it any longer.
Who we share personal data with
Contact Database Information
The IPPF does not share or sell its contact database (Your information) with any third parties. If you are not employed by the IPPF, volunteer with the IPPF or have any contractual or related dealings with us then we have no legal or contractual reasons to share your data without your consent.
If you are a donor and have contributed to the IPPF via credit or debit card your personal and banking related information would be handled securely and confidentially by our third-party payment provider. IPPF payment providers are confirmed to be GDPR and PCI-DSS compliant. The IPPF do not store or process any payment card information.
(PCS-DSS (The Payment Card Industry Data Security Standard) is an information security standard for organizations that handle branded credit cards from the major card schemes).
Employee, Volunteer information
If you work or volunteer for the IPPF we must collect, process and share certain personal information for legal and contractual reasons with external third parties that include, but is not limited to, HMRC (e.g. Tax), Government agencies (e.g. For security vetting and right to work), Medical, Insurance and Pension third parties.
All such personal information is only retained and processed by IPPF for as long as is necessary and as required to do so legally or contractually.
Where information is transferred outside the EEA (European Economic Area), and where this is to a stakeholder or vendor in a country that is not subject to an adequacy decision by the EU Commission, personal data is confirmed to be adequately protected by EU approved standard contractual clauses, an appropriate Privacy Shield certification or a vendor's Processor Binding Corporate Rules.
What information do we receive from third parties?
Sometimes, we may receive information about you from third parties.
We may receive information relating to your existing registrations with other related organizations. Additionally, for certain IPPF role holders or those working with children, we may receive information from the Disclosure and Barring Service on the status of any DBS check you have been required to take.
We may also receive information from other organizations with similar views, goals and objectives to the IPPF.
Withdrawing consent or otherwise objecting to direct marketing
Wherever we rely on your consent, you will always be able to withdraw that consent, although we may have other legal grounds for processing your data for other purposes, such as those set out above. You can do this by contacting us using the details set out below in the “How do I get in touch with the IPPF?” section.
What rights do I have?
You have the right to ask us for a copy of your personal data; to correct, delete or stop any processing of your personal data; and to obtain the personal data you provide to us for a contract or with your consent in a structured, machine readable format.
These rights may be limited, for example if fulfilling your request would reveal personal data about another person, or if you ask us to delete information which we are required by law to keep or have compelling legitimate interests in keeping.
To exercise any of these rights, you can get in touch with us using the details set out below. If you have any concerns or feel a request has not been dealt with appropriately and to your satisfaction, you also have the right to complain to the Information Commissioner’s Office. (But please contact us first to respond and/or rectify)
How do I get in touch with the IPPF?
The controller for your personal data and IPPF’s Data Protection Officer can be contacted via [email protected] or write to GDPR, c/o IPPF, 4 Newhams Row, London SE1 3UZ.
If you would like a form to be emailed that you can print, complete and re-scan (along with any required proof of identity) please contact the gdpr email address above.
Our Data Protection Officer is responsible for monitoring compliance with relevant legislation in relation to the protection of personal data. Please contact us at either address if you have any concerns or questions about the above information or you wish to ask us not to process your personal data for particular purposes or to update/erase your data. Where you have specific requests relating to how we manage your data, we will endeavour to resolve these, but please note that there may be circumstances where we cannot comply with specific requests.
Additional information, Response Times and Fees
We you send us any request to access, modify, change use or delete your personal information we may need to request additional information to confirm your identity and right to request this action. This ensures that only you can access your personal information and it is not disclosed to anybody else.
We aim to respond to all legitimate requests within one month. It may take longer than a month if your request is particularly complex or you have made several requests.
We will notify you and keep you updated if your request is likely to exceed the specified time period.
You will not normally have to pay a fee for any requests related to your personal data. However, we may charge a reasonable fee if your request is unfounded, repetitive or excessive. Under certain circumstances under GDPR guidelines we may also refuse to comply with your request (for example if we are unable to confirm your identity, it is excessive/unfounded or repetitive)
How do I get in touch with the ICO?
If you feel that the IPPF has not treated your data appropriately, or you are unhappy with our response to any requests you have made regarding personal data, you have the right to register a complaint with the Information Commissioner’s Office (ICO)
The IPPF is registered with the UK ICO (Information Commissioners Office) no: Z5951615.
You can contact the ICO by calling 0303 123 1113 Or you can go online to www.ico.org.uk/concerns. (The IPPF are not responsible for the content or security of external websites.)
Cookies are tiny text files stored on your computer when you visit certain web sites and pages, which we use to keep track of what you are accessing, remember you when you return to our site and for anonymous statistical usage analysis and reporting.
If you don't wish to enable cookies, you'll still be able to use the site but some functionality and formatting may not work as well or at all.
Please note that cookies from the IPPF website (and most legitimate websites) do not damage or infect your computer. The IPPF cookies do not store any personally identifiable information, and any information gathered from them is only used to help improve users experience of the site. For example, they help us to identify and resolve errors while browsing.
The IPPF only use Google Analytics to monitor web site traffic (For purposes of performance and usage reporting. All information IPPF obtain from Google Analytics is aggregated and anonymized and does not identify an individuals IP address or any other personal information.
What Constitutes 'personal data' under GDPR
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organizations collect information about people.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymized – e.g. key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
Links to other websites
IPPF websites may include links to other 3rd party (non-IPPF) websites, plug-ins and applications. Clicking on these links or enabling connections to these sites or services may allow third parties to collect or share data about you. We do not control these sites and are not responsible for how they acquire, process and secure any personal information