Project Stakeholder Privacy Notice

Building leaky barriers at Smaden Head - credit Ousewem
A scrape or pond created to support natural flood management - credit Ousewem
A leaky barrier to help slow the flow of water - credit Ousewem

1.     Introduction

Under data protection law, individuals have a right to be informed about how the Trust uses any personal information that we hold about them. This privacy notice has been written to inform our project stakeholders about how and why we process their personal data.


YDRT is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified, then you can be assured that it will only be used in accordance with this Privacy Notice.


The Data Controller (the organisation responsible for why and how your data is processed) is normally YDRT as defined by Article 4 (7) of the UK GDPR. If YDRT are undertaking a project under a contract with another organisation, for instance a project commissioned by a government body or business sponsor, that organisation may be the data controller. In this situation YDRT would be the data processor. The project information you receive will provide the name and contact details of the data controller if it is not YDRT.


We have a responsibility to you and your personal data and will only collect and use this in ways which are compliant with data protection legislation.


Our Data Protection Officer (DPO) is Mary Boyd. (Please see ‘Contact’ at the end of this policy)


2.     Personal information we collect and hold about you

We collect, store, and use the personal information about you in relation to your involvement with our projects.


It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us.


3.     How is your personal information collected?

We collect personal information about project stakeholders as listed below:

·       Personal contact details such as, title, addresses, telephone numbers, and personal email addresses (if business contact details are not available).

·       information about your land (if you have consented to our projects taking place on your land).

·       Photographs.

This information is either (a) provided by you or (b) created by us in the course of our activities during your relationship with us.


4.     Why is your personal information collected?

We may use the information collected from/about you:

4.1         where it is necessary for the operation of our project;

4.2         where we need to comply with a legal obligation; or

4.3         where it is necessary for our legitimate interests (or those of a third party) providing that our legitimate interest is not overridden by your interests or rights which require protection of your data.


We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.


Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.


5.     Recipients of your personal data

We may disclose your personal information to third parties where we have your agreement or consent to do so or where required by law. “Third parties” includes third-party service providers (including contractors and designated agents).


Personal information may be disclosed to the following categories of recipient with your agreement or consent:

·       Our project partners and sponsors

·       Our volunteers (where appropriate for the purposes of volunteer activities taking place on your land)

·       Contractors

·       Consultants and other professional advisers


All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.


We may also need to share your personal information with a regulator or to otherwise comply with the law.

 

6.     Data security

We have put in place measures to protect the security of your information. Details of these measures are available upon request.


7.     Data retention

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements.


In general terms this means that we will retain your personal information for the duration of your agreement with us and for the length of any applicable limitation period for claims which might be brought against us later. There are also certain types of information, such as In kind contributions or cash contributions to the project, which require to be retained for a certain period by law.


In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.


8.     Your rights

8.1 Requesting access to your personal data

Individuals have a right to make a ‘subject access request’  to gain access to personal information held about them.

If you make a subject access request, and if we do hold information about you, we will:

·      give you a description of it

·      tell you why we are holding and processing it, and how long we will keep it for

·      explain where we got it from, if not from you

·      tell you who it has been, or will be, shared with

·      let you know whether any automated decision-making is being applied to the data, and any consequences of this

·      give you a copy of the information in an intelligible form.

Individuals also have the right for their personal information to be transmitted electronically to another organisation in certain circumstances.

If you would like to make a request please contact the CEO or Finance Manager in the first instance.


 8.2 Other rights

You also have the right to:

·      object to processing of personal data that is likely to cause, or is causing, damage or distress

·      prevent processing for the purpose of direct marketing

·      object to decisions being taken by automated means

·      in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and

·      claim compensation for damages caused by a breach of the Data Protection regulations. To exercise any of these rights, please contact us using the information below.


9.     Complaints

We take any complaints about our collection and use of personal information very seriously.

 

If you think that our collection or use of personal information is unfair, misleading or inappropriate, or have any concern about our data processing, please raise this with us in the first instance.

Alternatively, you can make a complaint to the Information Commissioner’s Office:

·      report a concern online at https://ico.org.uk/concerns/

·      call 0303 123 1113

·      write to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

 

10.  Contact

If you would like to discuss anything in this privacy notice, in the first instance please contact us


The Data Protection Officer for YDRT is:

Mary Boyd,

YDRT, 8 Kings Court, Pateley Bridge, Harrogate, HG3 5JWe