Privacy and Cookies policy
Latest revision: December 2014. Revision information is located at the bottom of this page.
Privacy International strongly believes that you have the right to control the use of your personal information, and that your privacy must be respected. We strictly limit the processing of your personal information, and to the best of our abilities we will work only with other organizations who do the same.
We will not use personal information that you provide to us in a manner inconsistent with the purposes for which you provided it to us.
Privacy International does not sell, rent or lease personal data.
Any subpoena or attempts by government agencies or private sector organisations to gain access to any information that you give us will be vigorously challenged.
In accordance with the Data Protection Act 1998 and the Office of the Information Commissioner we are not registered on the public register of data controllers as we are a not for profit organisation. Irrespective of this, below we outline in detail our organisational and website information processing practices in various sections: Organisational Policy, Communications, Financial and Supporter Information, Intern and Volunteer Information, Partner Organisations and Other Third Parties, Research, Data transfers, Cookies, Website, Corrections, & Changes.
You have the right to ask us not to process your personal data for marketing purposes. We will usually inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data. You can also exercise the right at any time by contacting us at firstname.lastname@example.org.
We collect as little personal information as possible in order to achieve our mission, which is described on our About Us page.
We maintain direct control over as many processes as we can. We conscientiously select and review trusted providers when possible, and review their security and privacy practices. When possible, encryption is used, both in transit and storage. Access controls within the organisation limit who may access information. We seek to limit the hosting of data on our webservers.
Emails received through email@example.com are reviewed by one staff member and sent onwards when necessary to other staff members. Similarly, emails sent to our other general addresses, e.g. firstname.lastname@example.org, are reviewed and deleted as quickly as possible. We do not disclose the names of senders to others outside of PI, i.e. third parties, without your permission.
We use email service providers in the United Kingdom. As a result our emails are susceptible to lawful access in the United Kingdom, and possibly through unlawful means by the UK Government and by other entities and countries. We do our utmost to remove emails from the servers as often as possible so that legal action would be directed at us instead of our email service providers. We select our service providers on the basis of their privacy awareness, and work with most of our service providers to advise them on privacy protection. Our current service provider is GreenNet (see below). We use variable envelope return path (VERP) in conjunction with our email service provider in order to administer undeliverable email messages.
Information we receive by post is collected by one staff member, reviewed, and sent onwards when necessary to other staff members. These items are destroyed as soon as possible. We do not disclose the names of senders to third parties, and we endeavour to keep files secure. When the content of messages is shared with others outside of PI, e.g. with our trustees, judging panels, etc., we de-identify the messages as much as possible.
We run a limited number of mailing lists, and the membership of the mailing lists are kept confidential, though this information is shared with our mail service and internet providers for the purpose of list-management.
Telephone calls received on our number are serviced by our phone provider and are beyond our control. As a result, the traffic data for these calls may be retained in accordance with various laws and a voluntary code of practice for the retention of communications data.
Financial and Supporter Information
We collect information provided by prospective and current donors. This may include contact details, biographical information, financial information, donation history, and employer details. We do not purchase such data, so we only collect information given to us by the individuals themselves. This information may be processed through CiviCRM software that we control but is hosted by our internet service provider. In some contexts we may be given information for ancillary purposes, for instance emergency contact details in connection with sporting events. Should that be the case, we will make available additional information upon request detailing how that information will be collected and processed.
Privacy International will ask donors wishing to make a donation under the Gift Aid scheme to complete an online or hardcopy Gift Aid declaration form. Privacy International is required to store an auditable record of those donors -- full name, home address and details of the donation in order to process the Gift Aid donation. To make a Gift Aid repayment claim, we are required to share that data with the UK Government -- HMRC's Gift Aid service, Charities Online. Please contact email@example.com for further information on making a Gift Aid donation.
Volunteers and Applicants' Information
Occasionally we receive employment information from prospective employees. This may include the individual's CV, biographical information, immigration status, photograph, and contact details, reference names. This information is shared internally until that individual becomes a candidate for employment. At that point we may share the CV with our advisers and trustees. We file unsuccessful applications for two years.
We also collect prospective and current intern or volunteer information for recruitment and administration purposes. This may include biographical information, contact details, references, immigration-related information and payment details for reimbursement purposes.
We keep all accounting and administration information for auditing purposes, in accordance with standard practice and UK law.
We collect information relating to research targets and current or potential participants in Privacy International research projects. This information may be provided to us by the individuals themselves, from publicly-available sources, or from other third parties. This information may include biographical information, employment details, financial information, photographs, contact details, information on political opinions, racial or ethnic background, religious beliefs, sex life, and information concerning the commission (or alleged commission) of any offence, and any related proceedings and sentences. This information is used in connection with research and investigations in connection with our mission, which is described on our About Us page.
We also use a cookie for managing your session: if you submit a form, a session cookie may be set to allow you to confirm a subsequent resubmission is not a duplicate. We do not store that cookie information. Our website content management system leaves a cookie for the administration of your session but it is not used for tracking purposes.
We work closely with our webhost service provider, GreenNet, to ensure that your personal information is protected. GreenNet is based in the United Kingdom.
The processing of web usage data is kept to a minimum. Our website management software only presents us with aggregate numbers of downloads of each document and does not provide us with access to IP logs. We honour do not track browser settings.
We use this information to provide an indication of faults and to identify peak usage times so that we can decide when to make major site modifications.
We also use this information to ascertain what material is of use to the general public. At no point do we deduce 'who' is downloading material. We only ascertain 'whether' and 'how many' downloads there are, and from what country the downloader may be originating from.
GreenNet may use the logs and other information for their own business purposes, such as for troubleshooting and defining usage patterns, in accordance with their Code of Conduct. We have reviewed their Code of Conduct and advised them on best practices.
GreenNet has refused to take part in the UK Government's voluntary traffic data retention scheme. As a result, visit logs (time, visitor's IP address, webpage visited, visitor's web browser and OS, referring webpage address) are kept for only seven days. PI does not access this information in its raw form and PI does not review specific user activity.
Privacy International uses social media and social networking services to advance our work. These applications require the use of third party service providers. Notably, we have a Facebook page, Twitter feed, a YouTube channel, and a Google+ page.
Finally, we use direct messaging on occasion in both media, where individuals and organisations contact us on Facebook by leaving messages in our Inbox or by sending us Direct Messages on Twitter. We aim to delete these messages as soon as we have responded to the queries.
The data that we collect from individuals may be transferred to, and stored at, a destination outside the UK or European Economic Area ("EEA"). It may also be processed by staff operating there who work for us or for one of our partners or third party service providers. These may be engaged in, among other things, the processing of donations, outreach campaigns, or research projects. We work hard to ensure that data remains within jurisdictions with adequate protections for personal data. Where this is not possible, we rely on data minimisation, the selection of companies with privacy policies and auditable processes, and seek to ensure legally enforceable commitments to the protection of transferred data. By submitting your personal data, you agree to this transfer, storage and processing.
Access to your personal information and corrections
Privacy International will endeavour to keep your personal information accurate. If you require access to personal information we hold on you, wish to amend an inaccuracy, or have your information deleted from our files then please contact the Data Controller at firstname.lastname@example.org.
Changes to this policy
In the event that this policy is changed at any time, the date and nature of the change will be clearly indicated in this document. In the event that the change has a material impact on the handling of your personal information, we will contact you to seek your consent.
The UK Data Protection Act 1998 gives you the right to request access to information that we hold about you (a subject access request). Whilst we aim to respond to most subject access requests for free, we may exceptionally charge a fee of up to ¬£10 in response to some requests. Requests can be submitted by email to email@example.com, or by post to the physical address set out below.
About Privacy International
The data controller for data collected and processed in accordance with this policy is Privacy International. Privacy International is a registered UK charity (No. 1147471) and is registered with Companies House in the United Kingdom. Our address is Privacy International, 62 Britton Street, London, EC1M 5UY, United Kingdom.
In particular, we have moved to a Drupal-based website that uses session cookies. The current configuration involves session cookies that last one month, but we are trying to find ways to reduce that period of time.
In May 2011 we began using analytics on our website to monitor when, where and how people access information so that we can redesign the site to better suit our users' needs. We selected to use our own Piwik implementation because it has included some privacy elements in the design process (see the Piwik blog for some mention of this functionality). While we disagree with the use of the term 'anonymity', we have implemented AnonymizeIP, which removes the last octet of the IP addresses. We are looking into the use of iframes for the purpose of enabling an opt-out but we are concerned with the abuse of iframes.
Updated March 16, 2007 to include language regarding the processing of data by PayPal.
Updated April 11, 2007 to fix syntax errors and add information regarding Neomailbox's privacy practices for our communications data.
Updated July 20, 2009 to change our mailing address.
Updated November 12, 2009 to include information on our use of Social Media.
Updated in February 2011 to notify users of our transition to new internet services. In particular, we have moved to a Drupal-based website that uses session cookies. The current configuration involves session cookies that last one month, but we are trying to find ways to reduce that period of time.
Updated in June 2011 to notify of our transition to using analytics.
Updated in May 2012 to notify of analytics (piwik) now run by PI not a trusted partner.
Updated in June & July 2012 to take account of the "Cookies law", and explain that we now honor DoNotTrack through our piwik analytics suite. We also added a cookies section to this policy. We also updated the email provider to remove references to our previous provider, and note that our mail is hosted by GreenNet. We also made updates due to our status as a charity.
Updated in December 2014 as part of a review of our personal data handling practices, and our new website, and changes to providers.