St Mungo’s Central Privacy Policy

St Mungo’s is committed to keeping your data safe. We’re also committed to being up front and honest about what information we’re collecting, why we do this, and how we use it.

We will not share any of the information with any third parties for marketing purposes and your information will generally only be stored within the European Economic Area. Where this is not the case, they are stored in a recognised country, as defined by the Information Commissioner’s Office (ICO) or are protected under the EU-US Privacy Shield, and we will be upfront about this. The information you provide will be held securely by us and/or our data processors whether the information is in electronic or physical format.

If you support us: Campaigns, Fundraising and Social Media

Campaigns

What do we collect when you support our online campaigns?

When you participate in one of our online campaign actions (such as signing a petition or writing to your MP), you provide us with personal data such as your name, email and postal address. We will retain this information, together with a record of the action you took, for the purposes of analysing and reporting on our campaigns activity and to enable us to tailor our communications to you (where applicable).

If you opt-in to receive email updates about our campaigns, we will email you regularly with information about our campaigns and the actions you can take to support them. We will also add your details to our organisation-wide supporter database, which enables us to get a full picture of your relationship with St Mungo’s and to tailor our communications to you accordingly. You can opt-out of these emails at any time, and you’ll need to renew your consent every two years for us to keep emailing you (we’ll send you a reminder when the time comes).

Our legal basis for collecting your information

We collect your information under two legal bases:

  • Consent - for us to contact you regarding future campaigns
  • Legitimate interest – for us to tailor the types of communications you receive according to your activity

Storage and Sharing of your information

Our online campaign actions are created using the Engaging Networks platform, and any data you submit on a campaign page will be stored and processed by Engaging Networks. As a result, your data will be stored at a destination outside of the European Economic Area (EEA) in Canada which is a recognised country by the ICO. Engaging Networks are required by contract and Canadian law to protect your data to standards compatible with UK data protection laws. You can read the Engaging Networks privacy policy here. We use Engaging Networks to gather statistics relating to email open-rates, page conversions and other industry standard benchmarks in order to assess and improve our campaign emails and web pages. We remain in sole control of any information you provide and Engaging networks will only ever process your personal information as directed by us.

Occasionally third party organisations collect data on our behalf as well as for their own use. In these circumstances we may receive your personal data from third party organisations for our marketing purposes, but only where you have consented to this. Third party organisations we may receive data from include online petition platforms such as Care2 and Change.org. These organisations have their own privacy policies which you should read before signing up to them. Information we receive from these sources will consist of your full name and email address and – if you provided it to them – your postal address.

Where you have provided us with your personal details, we may provide your email address in an encrypted format to third party organisations collecting data on our behalf (as described above) for the sole purpose of ensuring that no duplicate data are collected. Our contract with such providers will require them to make no other use whatsoever of your data.

We never sell your data to any third party organisation to use for their own purposes.

Removing your data

If at any time you (i) are not currently subscribed to receive campaign updates by email and (ii) have not taken one of our online campaign actions for three years, we will anonymise or delete your personal data from our campaigner database. Please note that your personal data may still be held in another database by St Mungo’s if you have another relationship with St Mungo’s (e.g. donor, volunteer).

Fundraising

What information do we collect?

The personal information we collect might include name, date of birth, email address, postal address, telephone number and credit/debit card details. Data Protection law recognises that certain categories of personal information are more sensitive. These are known as special categories of data and cover data concerning health, race, religious beliefs and political opinions. We do not usually collect special categories of data about our supporters unless there is a clear reason for doing so such as participation in a run or walk or similar fundraising event or where we need to ensure we provide the appropriate facilities or support to enable you to participate in an event.

Our legal basis for collecting your information

We collect your information under the following legal bases

  • Consent – we will always ask for your consent to contact you for marketing and profiling purposes.
  • Legitimate Interest – charity governance including reporting and compliance, providing information about our services and research, and contacting you via post.
  • Legal obligation – we are required by law to retain information when a donation is submitted with Gift Aid, and where we record actions for a regulatory reason.
  • Contract – this is used when you set up a direct debit donation.

How do we collect information?

Information we collect from you

You get in touch with us directly, for example to take part in a fundraising event, make a donation or communicate with us for another reason. This could also be through an organisation we work with who contacts you on our behalf.

Your information is passed on to us, with your permission, by an independent fundraising organisation; for example, if you raise money for the ICR by running in the Virgin Money London Marathon or donate to us through the Just Giving website. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

Information we collect from other sources

We combine information you provide to us with information available from other sources. This, for example, enables us to contact you in the event that you change your address or phone number, or to gain a better understanding of your interests.

The information we receive from other organisations may depend on the permissions you have given them, so you should regularly check these.

This information comes from the following sources:

Third party organisations — You may have provided permission for an organisation to share your information with third parties, including charities. This could be when you buy a product or service or register with them.

Social Media — Depending on your settings on services like Facebook, WhatsApp or Twitter, or their privacy policies, you might give us permission to access information from those services.

Public information — This might be from a wide variety of sources such as newspapers and magazines, the internet, Companies House, etc.

How do we use your information?

We will use your personal information for:

  • Processing donations
  • Complying with our legal obligations policies and procedures
  • Providing and personalising our services
  • Dealing with your enquiries and requests and responding to complaints
  • Fundraising, including personalising and sharing information about the work of our charity, making financial requests and promoting our fundraising events, products and services.
  • For administrative purposes
  • Undertaking due diligence that protects the charity and/or supporter from risk or harm

We will never sell or share your details.

Personalisation and Profiling

For example, google-based searches when, as mentioned, we already have a relationship or strong legitimate interest prior to entering into a relationship with a donor or potential donor. And, where the information will be used solely in order for us to communicate with them in an appropriate, tailored manner.

Sharing your information and marketing

Fundraising, in particular being able to communicate with you about the work we do, is critical to our ability to provide services to people who are homeless.

We use the details you provide to us to communicate with you about our work to end homelessness and rebuild lives. We would also like to tell you how your support is helping and about other ways you can help in the future, whether that’s through volunteering, events or fundraising. From time to time we might also send you appeals asking for a donation.

We promise that will only communicate with you in the way you wish us to and we will always respect your privacy. You can change your mind at any time and it is quick and easy to let us know that you no longer want to hear from us. You can do this by calling the Supporter Care Team on 020 8600 3000 or email us at supporter.care@mungos.org. We will always respond to your wishes in a sensitive, timely, courteous and professional way.

Please be assured that we will take appropriate measures to keep your personal information safe and secure and we promise not to over contact. We will never pass your personal information on to other organisations for them to use for their own marketing purposes.

For internal uses of your non-sensitive data, where it has not be appropriate to obtain your consent or there are no legal reasons for us to so, we will collect your information as a legitimate interest of St Mungo’s. This is because when you, for example, request to receive services or products from us, we have a legitimate organisational interest to use your personal information to respond to you and there is no overriding prejudice to you by using your personal information for this purpose. However we will always provide you with the option to opt-out of continuing to hear from us.

We will never send marketing emails to you without your consent.

Updating your marketing preferences

You have a choice about whether you want to receive information about the Charity’s work and fundraising activities. We will not use your personal information for marketing purposes if you have indicated that you do not wish to be contacted and we will never be in touch for marketing purposes via email or telephone unless you have given us your consent. You can change your marketing preferences (such as email or post at any time), by contacting the Supporter Care Team on 020 8600 3000 or email us at supporter.care@mungos.org

Our promise to you

  • Only information that we actually need is collected and it is only seen by those who need it to do their jobs
  • We will only disclose data to third parties when obliged to disclose personal data by law, or the disclosure is ‘necessary’ for purposes of national security, taxation and criminal investigation, or we have your consent.
  • We never sell or share your data to third parties.
  • Personal information is retained only for as long as it is required for the purpose collected.
  • Wherever we hold your information on the basis of your consent, we will look to reobtain your consent every two years
  • We will keep your information up to date
  • Your information will be protected from unauthorised or accidental disclosure
  • We will provide you with a copy of your personal information on request (please see below for information on access rights and requests)
  • Inaccurate or misleading data will be corrected as soon as possible
  • These principles apply whether we hold your information on paper or in electronic form.
  • We will never sell or share your details.

Visiting our website

What we collect and how we use it

When you visit http://www.mungos.org we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to track interest on specific pages, see how the site is being used and look at how we can make improvements to the site. The information is only processed in a way that does not identify anyone. We do not make, and do not allow Google to make, any attempts to find out the identities of those visiting the St Mungo’s website. If we do ever try and link our cookies and tracking information, we will be up front about it, explaining why and what we intend to do with it.

Cookies

You can read more about how we use cookies on our cookies page.

How we collect your information

WordPress

The St Mungo’s website is built with WordPress, is hosted using Amazon Web Services and receives support from Itineris who are contracted as a data processor for St Mungo’s. The site uses standard WordPress services to collect anonymous information about users’ activity on the site, for example the number of users viewing pages on the site and how long they spend on a given page. We do this to monitor and report on the effectiveness of the site and help us improve it.

Further information about Amazon Web Services and your privacy can be found at https://aws.amazon.com/privacy.

Further information about Itineris can be found at https://www.itineris.co.uk/privacy.

Facebook pixel

This site uses a Facebook pixel to collect data on visitor behaviour, for example:

  • which pages are visited
  • which device was used to view the website
  • what actions were taken

This information may be used to serve relevant Facebook ads in the future. You can opt out of collection of information and third party adverts by using the following services:

Contacting us via Social Media

We use a third party provider, Hootsuite, to manage our social media interactions.

If you send us a private or direct message via social media the message will be stored by Hootsuite for three months, and as such you should not submit sensitive personal data in this way. Instead outline the general details of your request and a member of staff will respond or direct you to someone who can help. Your message will not be shared with any other organisations.

When you email us

Any email sent to us, including attachments, may be monitored and used by us for reasons of security and monitoring compliance with office policy. Email monitoring and blocking software can apply if an email triggers one of our built in safeguards. St Mungo’s uses a third party called Mimecast to provide security and backup services for St Mungo’s email.

For more information about how email data is processed, see Mimecast’s privacy policy and information security policy.

If you interact with any of our projects and services

What we collect and how we use your information

When engaging with our services there will be some personal information which we need to collect in order to offer you the best possible support. As each service requires different information you will receive a printed privacy notice which will explain:

  • What information we need to collect
  • The legal reason we collect this and why we need it
  • How long we will hold onto your data after you’ve left the service
  • How you can exercise your data protection rights.

Our legal bases for collecting you information

Depending on the service we will collect your information under one or more of the following legal bases:

  • Consent – we will use this where we can offer you a choice as to whether or not we collect, store, share or otherwise process your information. This will be made clear to you, and will not be done unless we have your consent.
  • (Substantial) Public Interest – where we are working to assist with public law we will collect your information under public interest. We will be clear about why we have to collect this information, how it will be used, who you can expect it to be shared with and why.
  • Contract – in some cases we need to collect information in order to fulfil a contract, this will generally be when you have a tenancy or licence agreement with us.
  • Legitimate Interest – we may collect other information about you which we believe will assist you when you are with us. This will be used to ensure you are receiving tailored and specific support around your needs.

If you have any objections to these types of processing, you can contact the Data Protection Officer using the details below.

Sharing your personal information

We may need to share some of your information, and we will always take appropriate precautions before doing so. If there are parties we share with regularly, their details will also be provided in your privacy notice, along with a reason for doing so.

Where we do not need to share information, we will always ask for your consent. We do this to respect your right to have a control over your data, and where it is going.

Questions about your data

If you have any questions please speak to your service manager or you can contact our Data Protection Officer using the details below.

If you currently or have previously used one of our services and would like to understand or exercise your data protection rights, you can also contact our Data Protection Officer using the details below.

How long do we keep your information for?

We will keep your data for a period of 3 years, after you have left the service. Your data will then be minimised and only the following information will be kept:

  • Your name and date of birth to identify you should you re-engage with a St Mungo’s service in the future.
  • A list of the services you engaged with including dates of entry and exit, again this would be able to help us better support you should you re-engage.

In some exceptional cases we may have to keep additional information. This will only be done if there were any significant risks to other clients, staff or property which we’d need a record of should you re-engage.

This information will only be kept for a maximum of 7 years after you have left the service.

Staff and Applicants

Staff, apprentices, and locums

What information we collect

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

There are “special categories” of more sensitive data which require a higher level of protection.

We will collect, store and use the following categories of personal information about you:

  • your name, address and contact details, including email address and telephone number, date of birth and gender;
  • information about your right to work in the UK;
  • the terms and conditions of your employment;
  • recruitment documents for roles that you have held, including application, interview notes, shortlisting information, tests and references;
  • details of your qualifications, professional memberships, skills, experience and employment history, including start and end dates and work locations, with previous employers and with the organisation;
  • information about any potential probity issues or conflicts of interest;
  • information about your remuneration, including entitlement to benefits such as pensions or insurance cover;
  • details of your bank account and national insurance number;
  • information about your marital status, next of kin, dependants and emergency contacts;
  • information about your status to drive;
  • details of your schedule (days of work and working hours) and attendance at work;
  • details of periods of leave taken by you, including holiday, family leave and sabbaticals, and the reasons for the leave;
  • details of any disciplinary, capability or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence;
  • details of any safeguarding concerns or referrals made to the Disclosure and Barring Service (DBS);
  • assessments of your performance, including appraisals, performance reviews and ratings, training you have participated in, performance improvement plans and related correspondence;
  • supervision and other management notes in relation to the performance of your role;
  • information related to health and safety claims, accidents, complaints incidents which you may be party or a witness to;
  • feedback you have provided for others through our performance management processes;
  • information about your use of St Mungo’s information and communications systems;
  • photographs; and
  • CCTV footage and door pass entry information;

We may also collect, store and use the following “special categories” of more sensitive personal information:

  • information about your criminal record;
  • information about your nationality and entitlement to work in the UK;
  • details of periods of sickness absence taken by you, and the reasons for the leave;
  • details of attendance and sickness procedures in which you have been involved, including any stages of the process you have reached and correspondence;
  • information about medical or health conditions, including whether or not you have a disability for which the organisation needs to make reasonable adjustments;
  • details of trade union membership; and
  • equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief.

Our legal bases for collecting your information

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • Where we need to perform the contract we have entered into with you.
  • Where we need to comply with a legal obligation.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

We may also use your personal information in the following situations, which are likely to be rare:

  • Where we need to protect your interests (or someone else’s interests).
  • Where it is needed in the public interest of for official purposes.

“Special categories” of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:

  • In limited circumstances, with your explicit written consent.
  • Where we need to carry out our legal obligations or exercise rights in connection with employment, for example, in order to administer certain benefits, such as pensions schemes, life insurance or PHI / critical illness insurance.
  • Where it is needed in the public interest, such as equal opportunities monitoring or reporting safeguarding concerns.
  • Where it is needed to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards.

Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of employment law. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.

How we collect your personal information

St Mungo's collects this information in a variety of ways. For example, data is collected through application forms, CVs or resumes; obtained from your passport or other identity documents such as your driving licence; from forms completed by you at the start of or during employment (such as benefit nomination forms); from correspondence with you; or through interviews, meetings or other assessments.

In some cases, the organisation collects personal data about you from third parties, such as references supplied by former employers; recruitment agencies; assessment information provided by assessment providers; medical information provided by medical professionals and information from criminal records checks permitted by law.

We will collect additional personal information in the course of job-related activities throughout the period of you working with us.

How we use your personal information

We need all the categories of information in the list above primarily to allow us to perform our contract with you and to enable us to comply with legal obligations. In some cases we may use your personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests. The situations in which we will process your personal information are listed below – for more information please see the Employee’s Data Summary Schedule.

  • Running recruitment processes and making decisions about pay and terms.
  • Checking you are legally entitled to work in the UK and you are suitable for the role that you are engaged to conduct.
  • Maintaining accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights.
  • Paying you and deducting tax and National Insurance contributions.
  • Administering benefits.
  • Gathering evidence in relation to and operating and keeping a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace.
  • Gathering evidence in relation to and operating and keeping a record of employee performance and related processes, to plan for career development, and workforce management purposes.
  • Operating and keeping a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled.
  • Obtaining occupational health advice, to ensure that we comply with duties in relation to individuals with disabilities, meet our obligations under health and safety law, and ensure that employees are receiving the pay or other benefits to which they are entitled.
  • Operating and keeping a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that the organisation complies with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled.
  • Complying with health and safety obligations.
  • Ensuring effective general HR and business administration.
  • Ensure effective business management, monitoring and planning activities.
  • To monitor your use of our information and communication systems to ensure compliance with our IT policies and effective discharge of your duties.
  • To provide references on request for current or former employees.
  • Responding to and defending against legal claims.
  • Maintaining and promoting equality in the workplace.

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.

How we use your sensitive information

We will use your particularly sensitive personal information in the following ways:

  • We will use information relating to your nationality in order to ascertain your right to work in the UK.
  • We will use information relating to leaves of absence, which may include sickness absence or family related leaves, to comply with employment and other laws.
  • We will use information about your physical and mental health, or disability status, to ensure your health and safety in the workplace and assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits.
  • We will use information about your race, national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.
  • We will use trade union membership information to pay trade union premiums, register the status of a protected employee and to comply with employment law obligations.

Information about criminal convictions

We may only use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations and provided we do so in line with our policies in relation to Pre- Employment Checking and Employing People with Criminal Records.

Less commonly, we may use information relating to criminal convictions where it is necessary in relation to legal claims, where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or you have already made the information public.

We may also process such information about members or former members in the course of legitimate business activities with appropriate safeguards.

We envisage that we will hold information about criminal convictions.

We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so. Where appropriate, we will collect information about criminal convictions as part of the recruitment process or we may be notified of such information directly by you in the course of you working for us. We will use the information about criminal convictions and offences in the following ways:

  • To ascertain your suitability (on an ongoing basis) for your role and employment at St Mungo’s.
  • To inform any appropriate discussions or processes in line with our Code of Conduct and Disciplinary Procedures.

We are allowed to use your personal information in this way to carry out our duties as an employer working in fields with regulated activity and/or with vulnerable adults and/or children and/or in line with the requirements of the Rehabilitation of Offenders Act. We have in place an appropriate policy and safeguards which we are required by law to maintain when processing such data.

Automated decision-making

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:

  • Where we have notified you of the decision and given you 21 days to request a reconsideration.
  • Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights.
  • In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights.

If we make an automated decision on the basis of any particularly sensitive personal information, we must have either your explicit written consent or it must be justified in the public interest, and we must also put in place appropriate measures to safeguard your rights.

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.

We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.

Sharing your information

We may have to share your data with third parties, including third-party service providers. We require third parties to respect the security of your data and to treat it in accordance with the law. We may transfer your personal information outside the EU. If we do, you can expect a similar degree of protection in respect of your personal information.

Who we share with

“Third parties” include third-party service providers (including contractors and designated agents).

St Mungo's shares your data with third parties who manage our databases and administrative systems and in order to obtain pre-employment references from other employers, obtain assessments as part of a recruitment process, obtain employment background checks from third-party providers and obtain necessary criminal records checks from the Disclosure and Barring Service. The organisation may also share your data with third parties in the context of a potential TUPE transfer or when running a staff survey.

St Mungo's also shares your data with third parties that process data on its behalf, in connection with insurances and legal advice, employee relations matters, payroll, the provision of benefits and the provision of occupational health services.

Keeping your information secure

All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. With the exception of our occupational health provider (who uses your data for the purposes of advising you directly and safeguarding your wellbeing) we do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

We may share your personal information with other third parties, for example in the context of possible mergers or take-overs, the possible sale or restructuring of the business. In this situation we will, so far as possible, share anonymised data with the other parties before the transaction completes. We may also need to share your personal information with a regulator or commissioner/funder or to otherwise comply with the law.

Sharing outside of the EEA

Subject to the exceptions below your data will not be processed outside of the European Economic Area (EEA).

  • Our online test provider is based in the United States and as such data related to the online tests will be transferred outside of the EEA. In this situation data is transferred outside of the EEA on the basis that the test provider has signed up to the EU-US Privacy Shield Framework. More information about the Privacy Shield Framework can be found here: https://www.privacyshield.gov/welcome
  • We may from time to time use an online survey tool based in the United States and as such data contained in surveys will be transferred outside of the EEA. In this situation data is transferred outside of the EEA on the basis that the survey tool provider has signed up to the EU-US Privacy Shield Framework. More information about the Privacy Shield Framework can be found here: https://www.privacyshield.gov/welcome 

Keeping your information secure

St Mungo's takes the security of your data seriously. We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, altered, misused or disclosed, and is not accessed except as required by its employees in the performance of their duties. We operate under a suite of Data Protection Policies, a Data Retention Schedule and restrict access to our systems and files appropriately.

Where St Mungo's engages third parties to process personal data on its behalf, it does so on the basis of written instructions and only where the third party has agreed to treat the information confidentially and to implement appropriate technical and organisational measures to ensure the security of data.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

How long we keep your data

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use of disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. For more information please see the Employee’s Data Summary Schedule.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer an employee or worker of the company we will retain and securely destroy your personal information in accordance with our data retention policy.

Volunteers

What information we collect

The organisation collects a range of information about you. This includes:

  • your name, address and contact details, including email address and telephone number;
  • details of your, skills, experience and motivations for volunteering
  • whether or not you have a disability for which the organisation needs to make reasonable adjustments during the recruitment process;
  • information about your criminal record;
  • equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health, and religion or belief; and

The organisation collects this information in a variety of ways. For example, data might be contained in application forms, CVs, obtained from your passport or other identity documents.

The organisation will also collect personal data about you from third parties, such as references supplied by former employers, educational / training establishments, work experience providers or other appropriate referees as provided by yourself and information from criminal records checks.

Data will be stored in a range of different places, including on your application record, in HR management systems and on other IT systems (including email).

Why we collect and process this data

The organisation needs to process data to administer your volunteering application

The organisation has a legitimate interest in processing personal data during the recruitment process and for keeping records of the process. Processing data from volunteer applications allows the organisation to manage the recruitment process, assess and confirm a potential volunteer’s suitability for the role you have applied for.

Where the organisation relies on legitimate interests as a reason for processing data, it has considered whether or not those interests are overridden by the rights and freedoms of volunteers and has concluded that they are not.

The organisation processes health information to see if reasonable adjustments can be made to support a potential volunteer’s application.

Where the organisation processes other special categories of data, such as information about ethnic origin, sexual orientation, health or religion or belief, this is for equal opportunities monitoring purposes.

For some roles, the organisation is obliged to seek information about criminal convictions and offences. Where the organisation seeks this information, it does so because it is necessary for it to carry out its obligations and exercise specific rights in relation to that volunteering role

Following the conclusion of any recruitment exercise, the organisation will keep your personal data on file for 6 months to respond to any questions about the process.

Who else has access to this data

Your information will be shared internally for the purposes of the recruitment exercise. This includes members of the Volunteering team, volunteer supervisors in the service where the role is based and IT staff and business insight teams if access to the data is necessary for the performance of their roles.

The organisation will not share your data with third parties, unless your application to volunteer is successful. The organisation will then share your data with relevant individuals and organisations (provided by yourself) to obtain references for you, and the Disclosure and Barring Service to obtain necessary criminal records checks.

Subject to the exception below your data will not be processed outside of the European Economic Area (EEA).

Your data will only be processed outside of the European Economic Area (EEA) in the following circumstances:

Where we need to obtain reference information where the referee is not based within the EEA this will require basic data transfer outside of the EEA. In this situation you will have provided the relevant contact details for the referee.

Keeping your information secure

St Mungo's takes the security of your data seriously. We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, altered, misused or disclosed, and is not accessed except as required by its employees in the performance of their duties. We operate under a suite of Data Protection Policies, a Data Retention Schedule and restrict access to our systems and files appropriately.

Where St Mungo's engages third parties to process personal data on its behalf, it does so on the basis of written instructions and only where the third party has agreed to treat the information confidentially and to implement appropriate technical and organisational measures to ensure the security of data.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

How long we keep your data

If your application to volunteer is unsuccessful, the organisation will hold your data on file for seven months after the end of the relevant recruitment process.

If your application to volunteer is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your volunteering. The periods for which your data will be held will be provided to you in a new privacy notice.

Applicants

As part of any recruitment process, the organisation collects and processes personal data relating to job applicants. The organisation is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations.

What information we collect

The organisation collects a range of information about you. This includes:

  • your name, address and contact details, including email address and telephone number;
  • details of your qualifications, skills, experience and employment history;
  • information about your performance in all aspects of assessment process, including job application; tests and interview;
  • information about your current level of remuneration, including benefit entitlements;
  • whether or not you have a disability for which the organisation needs to make reasonable adjustments during the recruitment process;
  • information about attendance in previous roles and / or disability or non-disability related health conditions;
  • information about your work history including any gaps;
  • information about your criminal record;
  • information about your entitlement to work in the UK;
  • equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health, and religion or belief; and
  • your view of the assessment process.

The organisation collects this information in a variety of ways. For example, data might be contained in application forms, CVs or resumes, obtained from your passport or other identity documents, or collected through interviews or other forms of assessment, including online tests, or online surveys. The data might also be collected from publicly available sources, such as websites.

The organisation will also collect personal data about you from third parties, such as references supplied by former employers, educational / training establishments, work experience providers or other appropriate referees as provided by yourself and information from employment background check providers and information from criminal records checks. The organisation will seek information from third parties only once a job offer to you has been made and will inform you that it is doing so.

Data will be stored in a range of different places, including on your application record, in HR management systems and on other IT systems (including email).

Why we process this information

The organisation needs to process data to take steps at your request prior to entering into a contract with you. It also needs to process your data to enter into a contract with you. It also processes your data for the purpose of assessing its own performance through recruitment processes.

In some cases, the organisation needs to process data to ensure that it is complying with its legal obligations. For example, it is required to check a successful applicant's eligibility to work in the UK before employment starts.

The organisation has a legitimate interest in processing personal data during the recruitment process and for keeping records of the process. Processing data from job applicants allows the organisation to manage the recruitment process, assess and confirm a candidate's suitability for employment and decide to whom to offer a job. The organisation may also need to process data from job applicants to respond to and defend against legal claims.

Where the organisation relies on legitimate interests as a reason for processing data, it has considered whether or not those interests are overridden by the rights and freedoms of employees or workers and has concluded that they are not.

The organisation processes health information if it needs to make reasonable adjustments to the recruitment process for candidates who have a disability. This is to carry out its obligations and exercise specific rights in relation to employment. In addition this information is processed (along with advice from occupational health) to make a judgement in relation to whether someone is suitable for a role.

Where the organisation processes other special categories of data, such as information about ethnic origin, sexual orientation, health or religion or belief, this is for equal opportunities monitoring purposes.

For some roles, the organisation is obliged to seek information about criminal convictions and offences. Where the organisation seeks this information, it does so because it is necessary for it to carry out its obligations and exercise specific rights in relation to employment.

Following the conclusion of any recruitment exercise, the organisation will keep your personal data on file for 6 months to respond to any questions about the process, or legal challenges. In some situations, we may also keep your personal data on file in case there are future employment opportunities for which you may be suited. The organisation will ask for your consent before it keeps your data for this purpose and you are free to withdraw your consent at any time.

Who can access this data

Your information will be shared internally for the purposes of the recruitment exercise. This includes members of the HR and recruitment team, interviewers involved in the recruitment process, managers in the business area with a vacancy and IT staff if access to the data is necessary for the performance of their roles.

During the assessment process, the organisation will share your data with online test providing companies and in certain situations with assessment panel members external to St Mungo’s. Otherwise, the organisation will not share your data with third parties, unless your application for employment is successful and it makes you an offer of employment. The organisation will then share your data with relevant individuals and organisations (provided by yourself) to obtain references for you, employment background check providers to obtain necessary background checks, Occupational Health Advisor to obtain any necessary health advice, the Disclosure and Barring Service to obtain necessary criminal records checks and our contract administration system to issue a contract.

Subject to the two exceptions below your data will not be processed outside of the European Economic Area (EEA).

Your data will only be processed outside of the European Economic Area (EEA) in the following circumstances:

  1. Our online test provider is based in the United States and as such data related to the online tests will be transferred outside of the EEA. In this situation data is transferred outside of the EEA on the basis that the test provider has signed up to the EU-US Privacy Shield Framework. More information about the Privacy Shield Framework can be found here: https://www.privacyshield.gov/welcome
  2. Where we need to obtain reference information where the referee is not based within the EEA this will require basic data transfer outside of the EEA. In this situation you will have provided the relevant contact details for the referee.

How we keep it safe

The organisation takes the security of your data seriously. It has internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties.

How long do we keep your information

If your application for employment is unsuccessful, the organisation will hold your data on file for seven months after the end of the relevant recruitment process.

If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment. The periods for which your data will be held will be provided to you in a new privacy notice.

If you work with us: Contractors, commissioners

If we work with you on an official capacity, we may have retained your details under the legal basis of legitimate interest.

These details will never be sold, shared or used for fundraising or marketing purposes, but only so that we can make contact regarding our working relationship.

If you request we remove your details, we will of course do so in a timely fashion.

Your Rights

Under certain circumstances, by law you have the right to:

  • Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us to continue to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
  • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal information to another party.

Queries and complaints

For any queries or complaints regarding the use of your data please contact any of the below who will be able to assist you.

Maya Kotecha

Data Protection Officer

InfoSec@mungos.org

Tel: 020 3856 6121

Write: Information Security, St Mungo’s, 3 Thomas More Square, Tower Hill, London, E1W 1YW

Complaints

complaints@mungos.org

Tel: 020 3856 6068

Write: Quality team, St Mungo's, 3 Thomas More Square, Tower Hill, London E1W 1YW.

Please note - we are unable to see personal callers at this address

The Information Commissioner’s Office

http://www.ico.org.uk

Tel: 0303 123 1113