The Autism Directory
We are The Autism Directory, an England and Wales charitable company limited by guarantee (with company number 7373840), charity number 1143855.
We take our duty to process your personal data very seriously. This policy explains how we collect, manage, use and protect your personal data. Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by the General Data Protection Regulation (the “GDPR”).
If you would like more information or would like to change the way we communicate with you, please contact us here:
• Email: [email protected]
• Post: Unit 21 Business Development Centre, Treforest Industrial Estate, Rhondda Cynon Taf CF37 5UR
• Phone: 01443 844764
What information does The Autism Directory collect about me?
Personal information is collected directly from you when you interact with The Autism Directory, for example signing up to a campaign action, enquiring about an event, participating in an event, registering as a volunteer or ambassador, signing up to our newsletter, calling our helpline, purchasing a product, making a donation or otherwise communicate with us. Information may be collected in person, over the phone, online, on paper or by SMS.
The information we collect will typically include:
• your name,
• you contact details (including postal address, telephone number, email addresses, social media identity)
• your date of birth
• your bank details if you are supporting us financially
• if you volunteer for us or apply for a job, information necessary for us to process your application and assess your suitability (including employment status, previous experience, as well as any criminal convictions and court cases, and whether you are barred from working with vulnerable children or adults)
• information about your activities on our websites and about the device you use to access these, such as your IP address and geographical location
• information about events, products and information which we consider to be of interest to you
• information as to whether you are a taxpayer to enable us to claim Gift Aid
• any other personal information you provide to us
Certain types of personal information are in a special category under data protection laws, as they are considered to be more sensitive. Examples of this type of sensitive data would be information about health (including diagnosis of autism), race, religious beliefs, political views, trade union membership, sex life or sexuality or genetic/biometric information.
We only collect this type of information to the extent that there is a clear reason for us to do so, for example asking for health information if you are taking part in a sporting event, or where we ask for information for the purpose of providing appropriate facilities or support. We will also collect this type of information if you make it public or volunteer it to us.
Wherever it is practical for us to do so, we will make why we are collecting this type of information clear and what it will be used for.
We may also receive information about you from other sources, as explained below.
How is my information used?
The Autism Directory complies with its obligations under the GDPR by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
We collect this information in order to process your requests and to also keep in touch with you about The Autism Directory’s work. Examples include:
• to provide you with the services, products or information you have requested
• to process donations or other payments and verify financial transactions
• to process Gift Aid donations
• to send fundraising appeals
• to invite you to participate in campaigns and events
• to record any contact we have with you to help us ensure we provide you with the most appropriate communications
• to keep a record of your relationship with us
• to respond to or fulfil any requests, complaints or queries you make to us
• to understand how we can improve our services, products and information by conducting analysis and market research
• to send marketing communications
• to further our charitable objectives
• send you correspondence and communicate with you
• process your application for a job or volunteer position
• to notify you of changes to our policies
• to check on your preferences from time to time to ensure they are up to date, including your contact preferences
• to ensure that content from our site is presented in the most effective manner for you and for your computer
• meet our legal obligations to regulators, government and/or law enforcement bodies
• establish, defend or enforce legal claims
• from time to time we may use external data sources to increase or enhance the information we hold about you.Further details can be found in the ‘How do you work with third parties in processing my personal data?’ section below.
How do you work with third parties in processing my personal data?
Certain third party organisations collect data on our behalf as well as for their own use. We may receive your personal details from third party organisations for our marketing purposes where you have consented for this information to be shared.
Third party organisations we currently receive data from are JustGiving, Virgin Money Giving, BT MyDonate, certain Event companies and Eventbrite. These organisations will have their own data protection and privacy policies which you should be aware of before signing up.
We may also disclose or use personal information if required to do so by law and may use external data for the purposes of fraud prevention, for example to comply with money laundering regulations, or otherwise to protect the rights, property or safety of individuals.
Your information may be used to ensure that The Autism Directory complies with the Fundraising Regulator’s Code of Fundraising Practice, which stipulates that we must take steps to assess and manage risks to our work and reputation with regard to certain levels of donation. More details can be found at www.fundraisingregulator.org.uk.
What is the legal basis for processing my personal data ?
Data protection laws mean that each use we make of personal information must have a “legal basis”. The relevant legal bases are set out in the General Data Protection Regulation (EU Regulation 2016/679) and in current UK data protection legislation.
Consent is where we ask you if we can use your information in a certain way, and you agree to this (for example when we send you marketing material via post, phone, text or e-mail). Where we use your information for a purpose based on consent, you have the right to withdraw consent for any future use of your information for this purpose at any time.
We have a basis to use your personal information where we need to do so to comply with one of our legal or regulatory obligations. For example, in some cases we may need to share your information with our various regulators such as the Charity Commission or Fundraising Regulator, or to use information we collect about you for due diligence or ethical screening purposes.
Performance of a contract / take steps at your request to prepare for entry into a contract
We have a basis to use your personal information where we are entering into a contract with you or performing our obligations under that contract. Examples of this would be if you are buying something from us (for instance some branded merchandise or, in some cases, an event place), applying to work/volunteer with us, or being funded to undertake any work or activity.
We have a basis to use your personal information where it is necessary for us to protect life or health. For instance if there were to be an emergency impacting individuals at one of our events, or a safeguarding issue which required us to contact people unexpectedly or share their information with emergency services.
We have a basis to use your personal information if it is reasonably necessary for us (or others) to do so and in our/their “legitimate interests” (provided that what the information is used for is fair and does not unduly impact your rights).
We consider our legitimate interests to include all of the day-to-day activities The Autism Directory carries out with personal information. Some examples not mentioned under the other bases above where we are relying on legitimate interests are:
• analysis and profiling of our supporters using personal information we already hold;
• use of personal information when we are monitoring use of our website or apps for technical purposes;
• use of personal information to administer, review and keep an internal record of the people we work with, including supporters, volunteers and beneficiaries;
• where you have signed up with us for a third party event (for example a sponsored run or Skydive), sharing personal information with the third party event organiser so they can administer the event.
We only rely on legitimate interests where we consider that any potential impact on you (positive and negative), how intrusive it is from a privacy perspective and your rights under data protection laws do not override our (or others’) interests in us using your information in this way.
When we use sensitive personal information we require an additional legal basis to do so under data protection laws, so will either do so on the basis of your explicit consent or another route available to us at law for using this type of information (for example if you have made the information manifestly public, we need to process it for employment, social security or social protection law purposes, your vital interests, or, in some cases, if it is in the public interest for us to do so).
How secure is the information I give you?
The Autism Directory takes the care of your data seriously and undertakes to protect your personal information in a range of ways including secure servers, firewalls and SSLencryption.
We follow payment card industry (PCI) security compliance guidelines when processing credit card payments and any personal information transferred between locations will be both encrypted and password protected. Unfortunately, the transmission of information using the internet is not completely secure. Although we will do our best to protect your personal data sent to us this way, we cannot guarantee the security of data transmitted to our site.
How long will you keep my information?
We will retain your information for as long as you have an active relationship with The Autism Directory. If you cease to have an active relationship with us or request to receive no further contact, we will retain some basic information in order to avoid sending you unwanted materials in the future.
In some cases we are required to keep some personal information for tax or health and safety purposes as well as records of your interactions with us. We have specific criteria for these cases and for how long we must retain your information.
Will my information ever go outside Europe?
The Autism Directory is aware that countries outside the European Economic Area have differing approaches to data privacy laws, and that enforcement may not be as robust as it is within Europe’s borders.
Organisations we work with who process data in the USA have verified their data processing standards meet the EU-US Privacy Shield, which sets out clear safeguards and transparency responsibilities for US-based organisations processing data from EU citizens.
What are my rights with regards to my personal data ?
Unless subject to an exemption you have the following rights with respect to your personal data:
- The right to request a copy of your personal data which The Autism Directory holds about you;
- The right to request that The Autism Directory corrects any personal data if it is found to be inaccurate or out of date;
- The right to request your personal data is erased where it is no longer necessary for The Autism Directory to retain such data;
- The right to withdraw your consent to the processing at any time if no other legitimate reason for processing exists;
- The right to request that the data controller provide the data subject with his/her personal data and where possible, to transmit that data directly to another data controller;
- The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
- The right to object to the processing of personal data when processing is based on legitimate interest and direct marketing.
- The right to lodge a complaint with the Information Commissioners Office.
How do I request an information access report?
To request an information access report which details the information we hold about you, please send your request in writing to the The Autism Directory Data Protection Officer at the following address:
Data Protection Officer Unit 21 Business Development Centre, Treforest Industrial Estate, Rhondda Cynon Taf, CF37 5UR
We aim to issue an initial response to all enquiries within five working days, and will offer a full response to all information access requests within thirty working days of receipt. The Autism Directory will provide a copy of this information free of charge.
If we wish to use your personal data for a new purpose, not covered by this GDPR notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
This policy was last updated in May 2018.
The Autism Directory reserve the right to make alterations from time to time. Please check our website from time to time for the latest version.