Privacy policy – supporters, volunteers and trustees

Our Privacy Policy applies to personal data collected and used by Blind Veterans UK Group. Under data protection law and regulation, we are a ‘data controller’ and are registered as such with the Information Commissioner’s Office (Registration Number: Z6040633).

Since 1915, the Blind Veterans UK Group has held to the belief that no-one who has served our country should battle blindness alone. That's why we're here to help with lifelong practical and emotional support for blind veterans, regardless of when they served or how they lost their sight. We help veterans recover their independence and discover a life beyond sight loss.

References to "Blind Veterans UK Group", ‘the charity’, “our’, ‘us’ and "we" mean Blind Veterans UK registered charity 216227 in England and Wales and SCO39411 in Scotland.

This also includes: our wholly owned subsidiary charitable trading company, Four Seasons NWMC Housing Limited (registered company No. 01882050); managing our properties and tenants; BRAVO VICTOR Limited (BV) (registered company No.13144807) and Registered charity in England and Wales number 1195189 and in Scotland number SC051265 conducting Biomedical, Social & Welfare and Innovation research and the St Dunstan’s Retirement Benefits Plan (1973). For the purposes of the pension scheme, we are Joint Controllers with St Dunstan’s Retirement Benefits Plan (1973).

What we need to collect

We need to collect and use personal data about our supporters, volunteers and trustees to allow us to provide individuals with the information and services asked for and to provide or to allow individuals to support us in the ways they wish to.

For data to be considered ‘personal’ it must relate to an identified or identifiable individual. An individual can be identifiable either directly or indirectly. What specific data is used is important especially as not all data is of equal significance, the more unique a piece of data relates to an individual, the easier it is to identify that individual. An individual is directly identifiable when using common identifiers such as a name, an address, or an assigned email address. Directly identifiable data now includes digital information, such as online identifiers or an IP address which can be related to an individual. An individual can be indirectly identifiable due to association with unique or uncommon personal data, an example is a unique job title within a workplace. If there is only one individual with a specific job title, that individual is indirectly identifiable by that job title. Where we use data that is insufficient to identify an individual this is not considered use of personal data within UK law. If identifiable data is used but the use does not specifically relate to an individual then this processing is also not considered as making use of personal data. An example of this would be the email footer of a trustee’s assigned email account, while the footer includes identifiable data, (the name of the trustee), the purpose of any emails sent is related to the duties of serving as a trustee, it is not related to the individual trustee, so it is not considered a use of personal data.

If a supporter, for example was to make a donation, register to fundraise, sign up for an event or buy merchandise, we will usually collect personal data:

• Name.
• Contact Details (Postal address, telephone number, email address).
• Date of birth.
• Payment details (if supporting us financially or making a purchase).
• Voluntary data to assist us in understanding our supporter base such as a reason for supporting us or how someone heard about the charity.

When a volunteer offers their time to engage with our members or their skills to assist us it will be necessary for us to complete a basic Criminal Records Check (Disclosure and Baring Service or Disclosure Scotland). This is to assist us with the making of safer volunteering recruitment decisions. This is in addition to the above personal data the following may also be processed.

• DBS / DS Reference number, type of disclosure, date of issue
• Volunteering placement confidential references
• Next of Kin contact details in case of emergency.
• Nationality.
• Gender.
• A national insurance number.
• Driving licence and or passport details and where necessary valid visa documentation.
• Bank account details, salary, tax, pension status, pension entitlement and expenses details.
• Profession and Job title.

If serving as a trustee, in addition to the personal data above we need to collect the following additional personal data which is necessary to comply with UK Company and Charity legislation and required to be provided to the Charity Commission.

• Home residential address
• Place of birth (In addition to date of birth)
• Citizenship
• Employment / Business Interest information including employed and voluntary position(s), any directorship(s), consultancy role(s).

It may be necessary to ask a trustee for additional personal data for processing purposes specific to serving as a trustee, which may not be expected. If this need was to occur we will ask directly for the specific personal data necessary and we will always explain why we need it.

We will be clear with individuals when we wish to collect such data, our reason for collecting such data and we will only do so when we have a lawful basis for processing the data. For supporters under 16, we value the support, but please ensure the permission of a parent or guardian has been obtained before giving us any personal data. We ensure than an individual always retains the right to change their communication or opt in preferences at any time.

Special Category data. Data protection law and regulation recognises certain personal data as ‘special category’ data and as being particularly sensitive. This includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, certain biometric data, data concerning health or a person's sex life or sexual orientation. Sometimes we may need to collect or may indirectly obtain special category personal data. For example:

• Individuals may reveal personal or special category data if, they share photos, contribute to our Review magazine or, use our website or social media channels
• If an individual was to sign up to support us at an event that may be physically demanding, we may ask for any relevant health conditions to be disclosed that we or the organisers need to be aware of.
• We may use this collected supporter data for the purposes of monitoring and ensuring we provide equal opportunities to supporters and volunteers or to cater for specific requirements when supporting us.

If an individual freely provides/consents, either at our request or voluntarily, to the collection of any ‘special category’ (sensitive) personal data, the individual explicitly agrees that we may collect and use it in order to provide our services and processed in accordance with this Privacy Policy.

Criminal Offence data. To assist us with the making of safer recruitment decisions, all volunteers will be required to participate in a Basic DBS check. This processing of criminal offence data for recruitment purposes is permitted in accordance with DPA 2018 Schedule 1, Part 3. (See: Section 6 for more details).

If as a Volunteer or Trustee role will include direct face-to-face engagement with a Blind Veterans UK Group beneficiary, such as a volunteering in a centre or participating in what is defined in the Protection of Freedoms Act 2012 as a “Regulated Activity” it is a legal requirement for us to complete a higher-level check known as an enhanced DBS/DS from the Criminal Records Check (Disclosure and Baring Service or Disclosure Scotland).

The accuracy of personal data is really important to us. If it is necessary to update or correct any personal data we hold, please contact us using the contact details in Section 9 “How to Contact Us” at the end of this policy.

Why we need it

We need personal data in order to perform functions such as:

• To comply with the law. To comply with the law as a data controller and employer there are data processing purposes which must be completed. These include but are not limited to company, charity, employment, social security, social protection law and due diligence processes. Personal data collected specifically for this purpose cannot be further processed.
• Manage and support relationship with us. To keep a record of an individual’s relationship with us and any directions provided on how we are to comply with individual data rights. To administer any donations or support fundraising activity, this will include processing the necessary personal data to enable Gift Aid to be utilised.
  • Communicate with Individuals. We need to keep a record of what communication preferences an individual has selected when engaging with us and when we need to amend this choice as requested. To provide individuals with specific and, where appropriate, personalised services, information, products, updates, newsletters, feedback, competitions. To assist with technical problems related to our websites or applications.
• Operational requirements. An individual serving as a Trustee, we will make use of collected personal data for the purposes of administering and facilitating any duties and responsibilities as a member of the Board. There may be occasions when we need to make additional use of a trustee’s personal data. An example would be if it was necessary to authenticate operational requirements and executive decisions of the charity, such as providing a home address for 3rd party financial due diligence validation processes. Any other use of a Trustees’ personal data will be compatible with the original purpose of use. If an unexpected or new purpose of use for a Trustee’s personal data is necessary, we will inform them and seek consent before making a new use of a Trustee’s personal data for a new purpose.
• Marketing. If a supporter provides us with an email address or telephone number, we may contact them for marketing purposes. We may use email or SMS text number for both marketing and targeted advertising, but only where we have opt-in consent to do so. If a postal address or telephone number is provided, we may send direct mail or call about our work. We will not do so if we have been told this is not an agreed contact option. We check all telephone numbers against the Telephone Preference Service (TPS) and if registered, we will only initiate contact if there is specific consent for us to making such calls. We make it easy for individuals to tell us how they want us to communicate with them. Our forms have clear marketing preference questions and we include clear information on how to opt-out or opt-in when we send marketing information.
• Fundraising. The lifeblood of serving our blind veterans is fundraising. We are always grateful when individuals donate. If a donation is made we will acknowledge the gift and say “thank you” by email, this will be in simple accessible language and will not include any marketing content. We endeavour to tailor our fundraising activity to ensure that we are as efficient with our resources as possible, keeping as much money available to support our beneficiaries as possible, which donors tell us is a priority for them. It also provides individuals with the most relevant and timely information and opportunities.
• Profiling. To help us achieve this tailored approach, we may use donor profiling, wealth screening techniques or algorithmic learning to enable us to target our fundraising campaign audiences. To achieve this, we may process the relevant personal data ourselves or use trusted third parties to do so on our behalf. We may use existing data that has supplied to us and combine this with information from publicly available sources such as charity and corporate websites and Companies House. We will only use reputable sources, where someone would expect their information may be read by the public. By doing this, we can better understand our supporters and ensure we only make appropriate requests to our supporters. These activities help us to approach supporters that have the means, and the desire, to give a bit more to make a considered choice. For more detail about how and why we build profiles of our supporters please click here.
• To personalise and improve the supporter experience. We may use provided personal data in order to specifically tailor our information and services to match our supporters and volunteer’s preferences and specific interests. This helps us to understand how we can improve our services, products or information and to provide personalised direct marketing and communication in a way that allows an individual an element of control. For example, we will use an email address to send a “thank you” message when a donation is made, note this communication will be a service level automated response email and will not contain specific marketing information.
• To improve our services and administration. We will personal data in order to ensure the most efficient and appropriate use of the resources we have and to improve efficiency through statistical and market analysis.

If a supporter or volunteer chooses to withhold certain personal data, we may not be able to provide individuals with the information, products or services they would like.

If individuals do not want to hear from us, or do not want us to use their personal data for direct marketing or profiled fundraising purposes please call us using the details at Section 9 “How to Contact Us”. We will retain minimal details on a suppression list to ensure that we respect individual preferences.

We collect data about individuals in a variety of ways. We will collect personal data provided directly as well as indirectly when available from other sources. The data we get from other organisations may depend on privacy settings on an individuals’ account,, or the chosen preferences selected with them, such as opting in to sharing data with third parties. Individuals are encouraged to regularly check T&C’s and privacy settings to fully understand how they will process and share personal data.

Direct from individuals

Individuals may give us personal data directly themselves when they communicate with us. Examples include registering with us as a supporter or a volunteer, signing up for one of our events such as the Cenotaph parade or if an individual applies to become a volunteer. We also collect data directly when an individual uses our website for a number of purposes, to make a direct on-line donation, to apply for beneficiary (membership) or to apply for job working with us. An individual will also provide personal data when referred to us or when engaging with a 3rd party website or web-portal. This will include if a purchase is made for one of our products, such as Lottery tickets, raffles entries, or merchandise from our on-line shop. Sometimes when an individual supports us, personal data is collected by an organisation working for us (e.g. a professional fundraising agency). If an individual chooses to support us via a 3rd party organisation, website or mobile application, personal data will be collected on our behalf (e.g. an event organiser or agency contractor).

Indirectly from other sources

We may obtain a supporter’s personal data indirectly when an individual gives consent to other organisations to share it. We may purchase personal data in a commercial transaction from a third-party organisation or alternatively make use of personal data where it is publicly available:

• Independent event organisers. Personal data may be shared with us by independent event organisers, for example the London Marathon or fundraising sites like Just Giving. These independent third parties will only pass on personal data when an individual has indicated they wish to support the Blind Veterans UK Group with their consent.
• Third party organisations. We may obtain personal data from third parties, if an individual has agreed we can approach them. For example, where we need to obtain a reference or when we need a DBS/DS from the Disclosure and Barring Service. Individuals will/may provide consent by agreeing to terms and conditions to allow a company or other organisation to share or sell their personal data with/to third parties, including charities. This can occur when an individual buys a product or service, register for an online competition, complete a survey, or when installing an application on a mobile phone, or signing-up with a price comparison website. On occasions Blind Veterans UK will purchase direct marketing data from registered third-party brokers. We only purchase direct mailing lists, that include a name and a postal address, we may also be provided with details of whether an individual is a taxpayer for Gift Aid purposes. This allows us to send postal marketing materials to individuals that have opted in to receive such material. We will always perform due diligence on any purchased data and will supress the use of an individuals’ personal data on request. Note: We can only use this purchased personal data where we have been either named as a recipient of the data or the third party has named/indicated a charity subsection into which we fit.
• Digital, online and social media. Like many companies and charities we may collect an individual’s personal data if use is made of our website and mobile apps. We may also collect data about what browser is being used, an individual’s IP address and which computer operating system is being used. this data will be used to improve the services we offer. Depending on an individual’s privacy settings on social media platforms and messaging services like Facebook or Twitter, an individual might give us permission to access personal data from those accounts or services.
• Publicly available sources. Public information may include data from places such as Companies House, the electoral register and information that has been published in articles / newspapers. Additionally, the Post Office’s National Change of Address database allows us to keep postal information up to date.

UK Data protection law and regulation requires us to have a lawful basis for processing personal information. These include:

• To protect the vital interests of an individual or another person. If we believe that the safety and /or security of an individual or a third party is at risk of harm UK law allows a controller to use known personal data specifically to minimise this harm to protect life. We acknowledge we have a duty to protect individuals and this is lawful basis permits us to process personal data in these specific circumstances which will only be used when necessary.
• To comply with a legal obligation. We will process personal data where we are required to comply with UK social security or social protection law, such as Health and Safety, or Employment law, or where a role requires a criminal record check. We will process an individual’s personal data to comply with HMRC requirements to process Gift Aid. As a controller we also need to comply with a UK court order, or when engaging with a regulatory authority such as the Information Commissioner’s office,(ICO) or the Care Quality Commission (CQC) the police or security services.
• The performance of a contract. If we are in the process of setting up or have a contract with an individual, we will process personal data necessary to comply with the obligations of that contract or preliminary contract requirements.
• Where we as a charity have a legitimate interest. Where we have a legitimate interest, we must ensure that we are not harming an individual’s interests or interfering with their rights, we will only use personal data in a manner that an individual would reasonably expect us to. For example, we have a legitimate interest in using our supporters’ data, for research and analytical purposes to better understand who our supporters are and to better target our fundraising activity. This may include using current supporter’s personal data to be used within algorithmic learning environment to help identify similar profiles of individuals that could become new supporters. As a controller we also have a legitimate interest in fraud prevention and informing authorities about possible criminal acts or security threats.
• Where consent has been given for specific purpose(s). Where we need consent, it will be clearly identifiable as a request for consent for a specific purpose. This may include marketing material sent via e-mail or SMS or to provide individuals with a product, service or information that may have been requested. Individuals are able to withdraw their consent at any time by contacting us. It is to be noted if an individual chooses this action it may affect our continuing relationship as some services may no longer be able to be supplied if consent to process personal data is withdrawn.
• Special category. Where we process ‘special category’ personal data (such as health) we will ensure we do so in accordance with a lawful basis under Art. 6 and the required additional “condition” for processing special category data under Art. 9 of UK-GDPR. An example is, where a data subject has provided explicit consent or where the data has been made public by an individual themselves.

How we protect personal data

We ensure there are reasonable and appropriate technical and organisational controls in place to protect personal data against unauthorised or unlawful processing and against accidental loss, corruption, destruction or damage. If we believe if it is likely processing will pose a risk of harm to individuals we will complete a risk assessment process known as a DPIA to identify and minimise these risks. For example, our IT architecture is actively protected and routinely monitored. We have policies and procedures in place which staff and volunteers are expected to comply with and for which they receive training. A data back-up and recovery process to prevent permanent loss of in the event of corruption, damage or accidental loss, is in place across our IT network.

• Online security. The Blind Veterans UK Group will ensure that when collecting personal information over the internet that this is done securely. Our online forms are always encrypted in transit and our network is protected and routinely monitored. Our Microsoft 365 network enables us to send point to point encrypted emails. If an individual uses a credit or debit card to donate to us, buy something or make a booking online, we pass the card details securely to our payment processing partners. We are Payment Card Industry (PCI) Data Security Standard (DSS) compliant (for more information go to: PCI Security Standards) and use external compliant providers to collect this data on our behalf. We and our partners use TLS (Transport Level Security) to encrypt data sent between you and us or our partners. We do not use cookies to store this type of personal data nor do we store credit or debit card details following completion of your transaction. To protect any sensitive data sent to us, please ensure that the device being used is running a supported operating system that is regularly updated / patched and has anti-virus and anti-malware protection. Only connect business (or personal) devices to WI-FI networks that are trustworthy. We cannot guarantee the security of data disclosed or transmitted over public/open networks.
• Password security. Where we have provided an individual (or where one has been chosen) with a password which enables access to certain parts of our website or other applications the individual is responsible for keeping the password confidential. The password is not to be shared with anyone else. Our IT support staff will never ask to be told an assigned password, a user may be asked to enter it themselves, but it is not to be shared. If asked, decline politely and report the request.
• Third party website links. Our website and apps may include links to other third-party websites, not owned or managed by Blind Veterans UK Group. Whilst we try our best to only link to reputable websites we cannot be held responsible for the privacy of data collected by sites not managed by Blind Veterans UK Group, nor can we accept responsibility or liability for any implications as a result of an individual visiting site we provide a link to. For this reason, we suggest any site visitor should consult the privacy policy of any external website linked to before submitting any personal data.

Everyone should be aware that the use of the Internet is not entirely secure and although we will do our best to protect personal data we cannot guarantee the security or integrity of any personal information which is transferred to us across the Internet. Any transmission is at an individual’s own risk.

Managing access and the sharing personal data

We undertake reviews of who has access to the personal data that we hold to ensure that personal data is accessible only by necessary and appropriately trained employees and trusted third parties that possess a business need to do so. We require all third parties that process personal data on our behalf to have appropriate and technical and organisational measures in place to protect personal data at the same standard that we apply ourselves. If we share personal data with a third party or if we require you to directly share personal data with a third party working on our behalf the data will be secure to the best of our knowledge.

At the Blind Veterans UK Group, we treat all volunteer placement references, either received by us or provided to others by us, as Confidential references. Confidentiality is applied to all references because when a referee knows the content will not be shared with the individual to which it refers or with a third party, this allows a referee to provide a candid reference. This is important to us as a charity, as we have a particular focus on safeguarding potentially vulnerable beneficiaries. Confidential references allow us to make good volunteer placement decisions and prevent applicants who may have a detrimental effect on our charitable activities and beneficiaries from joining us. The UK’s Data Protection Act 2018 includes an exemption for confidential references, the content of a confidential reference whether provided or received is exempted from the right of access and will not be shared.

There are circumstances when we may be compelled by law or where we voluntarily agree to disclose personal data to third-parties as outlined above in section 4. We have limited control over how personal data will be processed by these parties once it leaves our control. We therefore recommend that an individual consults the privacy policies of these third parties. There are also circumstances when we will consider sharing personal data voluntarily, without consent but doing so within the law. These situations include the following:

• Where we believe a crime has been committed or, to where necessary to assist with the apprehension of an offender.
• Additionally, where we need to respond to an individual Right of Access Request (known as SAR) we may choose in some circumstances to share third party personal data without consent to assist with our responsibility to provide the materials in an accessible, concise and intelligible format.
• Any sharing of personal data is managed on a case-by-case basis and is limited to being shared only if necessary and if reasonable to do so.
• There are circumstances when a Trustee’s personal data may be shared to comply with industry standard financial and due diligence processes. Examples include fraud and anti-money laundering checks, or when the charity engages in financial credit services or if we need services to enable the electronic transfer of funds. This sharing is limited to the minimum quantity of data necessary to fulfil the task.

We may in certain circumstances share personal data without an individual’s consent for the purpose of fulfilling our safeguarding responsibilities. This doesn’t happen often, but we may share personal data:

• If we believe there is a serious risk to the public, beneficiaries, our staff or to other professionals,
• To protect a vulnerable person, (child or adult) who we believe may be at risk, for example if they are frail, confused or cannot understand what is happening to them.

Occasions, other than by law, when we may share personal data include:

• If an individual has agreed that we may do so.
• When we use external service providers to collect or process personal data on our behalf, (a list of processors is included the end of this policy).
• With our subsidiaries within the Blind Veterans UK Group.
• A data sharing agreement process has been completed between Blind Veterans UK and BRAVO VICTOR Limited. BRAVO VICTOR performs the Group’s research activities as a separate charity while remaining within the Blind Veterans UK Group. This allows us to continue to have a collaborative relationship while being separate legal entities.
• If we receive a complaint about any inappropriate content which has been posted or transmitted to or from one of our sites, forums, social media pages or apps we may share an individual’s personal data with an internet provider or law enforcement agencies.
• To enforce or apply the Terms of Use for our website or other agreements or if we believe that we need to protect the rights, property or personal safety of the Blind Veterans’ UK Group, our supporters, members, visitors or websites and for other lawful purposes.
• We may disclose aggregate statistics about our supporters, volunteers, site visitors, customers and sales to describe our services and operations to prospective supporters, partners, advertisers and other reputable third parties and for other lawful purposes, but these statistics won’t include any personally identifying information without explicit consent.
• In some instances, the third parties that we work with might also retain personal data for their own purposes and in these circumstances they are also a Data Controller for any personal data retained for their own purposes. Where this is the case, it will be made clear when personal data is initially collected/gathered and we recommend looking at the privacy policies of these organisations for more information on how personal data will be used.
•  If we run an event in partnership with other named organisation(s) personal data may need to be shared to facilitate the administration of the event. If this is necessary, we will be very clear and provide details on the reasons and purposes of the need to share this personal data at registration. For example, we would need to share dietary requirements with a caterer.
• If we merge with, or diversify, forming a separate/new organisation with its own legal identity, information including personal data may be transferred to the new entity. (NB. If employees are transferred to the new entity, TUPE regulations apply)

We will never rent or sell personal data which is within our control. We will not share or swap it with other organisations for their or our own purposes or seek to make money out of a stakeholder’s personal data without additional consent.

Where we store personal data

Personal data provided to us whether in paper or electronic format will be stored securely meeting the requirements of this policy. Where we store personal data may differ depending on the purpose for which we are processing it for, as indicated above. The majority of personal data may be held within in our Microsoft 365 Cloud Environment or within a number of bespoke databases or specialist applications. Personal data may also be stored within a number of systems of trusted third-party processors who process personal data on our behalf. (Details of these can be found in the third-party processors list at the end of this document)

Cross-border transfers of personal data

As a data controller, we may on occasions require the services of a third-party processor. Not all of these processors will be based or will conduct processing within the UK, if a processor is based outside of the UK these cross-border (transfer) requirements will be applied. If this is required, we will conduct an appropriate mandatory international data transfer risk assessment and put into place appropriate “additional measures” to safeguard personal data and individual data rights. Controllers in the UK now have a choice of whether to use the UK’s IDTA (International Data Transfer Agreement) or use the EU’s updated Standard Contractual Clauses (SCC). If the latter choice is selected this will also require the use of the international data transfer addendum to the EU’s SCCs). Note, if a personal data transfer is necessary for a one-off processing purpose or is an infrequent processing requirement we may ask an individual for consent to conduct the transfer after we have communicated the process and any risks to the individual.

The UK Government has recognised some countries and all of the EEA states as possessing data protection “adequacy” for the purposes of data transfers to these countries. The UK Government has decided no additional safeguards are needed to conduct data transfers to the EEA as these states have equivalent standards of data protection as UK-GDPR 2020.

The EU has recognised the UK as possessing data protection “adequacy” for the purposes of personal data transfers of EU subject’s personal data into the UK. No additional safeguards are needed as the UK has an equivalent level of protection to that guaranteed under EU law. (EU-GDPR 2016).

The EU have recently agreed a data transfer agreement with the USA. The EU-US Data Privacy Framework (DPF) is a bespoke, opt-in certification scheme for US organisations, similar to the privacy shield. From 12 October 2023, organisations in the UK can start to transfer personal data to US organisations certified with the “UK Extension to the EU-US Data Privacy Framework”. However, this new framework is not an adequacy decision, it does not allow for the free transfer of personal data to the US. The operation of the framework has restrictions, e.g. it cannot be used by banking, insurance, and telecommunication organisations. Where the new framework cannot be used to transfer personal data to the US, Blind Veterans UK will continue to use either the SCCs or the UK’s IDTA. 

In cases when we use external websites provided by other organisations such as Twitter or Facebook, then we would recommend individuals consult the privacy policies of these organisations to determine how personal data will be processed by these controllers.

The law requires we retain personal data for only as long as is necessary. This is to fulfil the purposes for which the data was collected and our legitimate interests or in order to comply with legal or regulatory rules and requirements.

At the Blind Veterans UK Group, we manage the retention of personal data with the use of a Retention and Disposal Policy. The policy uses a 2-step process to determine how long we retain documents which may contain personal data. The criteria we use for this process is to identify the “Business Function” the document was used for, then to apply a “Purpose of Retention” (from the list below). Identifying the business function allows us to group similar documents together and assign corporate ownership to proactively manage data retention. Applying a retention purpose ensures we only retain personal data for a transparent period of time necessary to meet statutory, contractual or best practice requirements.

• Retained as Live data only……………….………. 1 year
• Record(s) of Activity and or a Process………….. 3 years
• Evidence or Compliance………………………….. 6 years
• Governance Purposes……………………………. 7 years
• Legal (Pensions, Property, Safeguarding)…..… 12 years
• Permanent retention (subject to review)…….… (Life of charity)

The UK’s Data Protection Act 2018 prohibits a data controller from processing and retaining (an individual’s) criminal offence data. However, an exception within part 3 of schedule 1 of the DPA 2018 allows a controller to process criminal offence data for the specific purposes of volunteer and employee recruitment. At Blind Veterans UK we will only process criminal offence data within a requested DBS/DS report as “live data” during the recruitment process. Once a recruitment process has been completed for a role, we as a controller, will not retain a copy of the DBS /DS report or any of the Criminal offence data from within the report. However, we will retain the following information as evidence of the completion of the DBS: (Note this retained information is personal data not criminal offence data)

• The date of issue of a disclosure
• The name of the subject
• The type of disclosure requested
• The position for which the disclosure was requested
• The unique reference number of the disclosure
• The details of the recruitment decision taken

While processing “Live” criminal offence data for this purpose, we will store this personal data separately and securely. It will not be kept with an applicant's personnel file and access is strictly controlled and limited to only employee entitled to see it as part of their recruitment duties. DBS/DS content information will be securely destroyed after a period of six months (This period allows resolution of any related disputes or complaints) ensuring the Live data is retained for only as long as is necessary.

Where we have contracted with a 3rd party provider to process personal data on our behalf these organisations will also retain some basic information in order to meet their own legal requirements, e.g. records of financial transactions and will only retain it for as long as is necessary.

If an individual decides to change or end our relationship as a supporter, volunteer or trustee or request that we have no further contact, we will need to retain some basic personal information to comply with our legal and regulatory obligations. We will also retain minimal data to maintain a suppression list to ensure we can comply and manage prevention of further contact from us Suppression as opposed to deletion of data to prevent further contact once an individual has opted out is the accepted and recommended methodology of the UK data protection regulator the ICO.

Like most organisations, our website and apps use “cookies” and other tracking software to help us make our site and the way it is used better and more relevant to our stakeholders. We will not be able to personally identify an individual from the data gathered but it may help us improve our online services.

• Cookies allow a website to remember a specific visitor, by adding a digital tag. Cookies are small text files that are transferred to a computer (or phone or tablet). They make interacting with a website faster and easier, for example by automatically filling in an online form with a name and address in text fields. Please read our cookies policy for more information. An individual can change cookie preferences whenever they wish.
• When visiting our website or apps we may collect information about the type of device being used to access them and the settings on that device. This might also include the IP address and details of the operating system and certain device settings as well as diagnostic information.

UK data protection legislation includes UK General Data Protection Regulations 2020 (UK-GDPR) and Data Protection Act 2018, these two authorities are to be jointly considered as the authority of UK data protection law. This legislation gives everyone a number of very important rights. In abbreviated form these are:

• The right to be informed. Transparency over how we use personal data. The details provided within this Privacy Policy is as a consequence of this right.
• The right of access. Request confirmation of processing and to be provided with copies of personal data we hold about an individual
• The right of rectification. An individual can require a controller to update or amend personal data held if it is incomplete or inaccurate.
• The right to erase or ‘right to be forgotten'. This provides a qualified right to ask a controller to erase personal data from held records where there is no longer a compelling reason for its continued processing, subject to a number of conditions.
• The right to object. An individual may object to the processing of personal data for certain purposes (such as marketing, research, statistics or if an individual does not believe processing we are performing has a legitimate interest).
• The right to restrict processing. An individual can request a controller to temporarily stop/ supress the processing of personal data, subject to a number of conditions.
• The right to data portability. An individual can request a controller collects and enables the reuse of personal data for similar purposes with a different controller, subject to a number of conditions.
• Rights in relation to automated decision making and profiling.

To know more about individual rights under the data protection law see the Information Commissioner’s Office (ICO) website.

Remember, an individual can exercise their rights in relation to their own personal information and are free to make changes to the way a controller can process personal data, and example of this is communication preference. An individual has the right to withdraw their consent for us to process personal data, where processing is based on consent, but this action will on most occasions prevent us from being able to deliver services we offer.

• Using the Contact Preferences Form on our Contact Us web page.
• Through the contact details set out in the ‘How to contact us’ section of this policy.

If any stakeholder is not satisfied with our response or believes we are not processing their personal data in accordance with the law and their individual rights, they can complain directly to the Information Commissioner’s Office.

To raise any comments or questions regarding this Privacy Policy or to change preferences how we process personal data this can be actioned by contacting the appropriate department:

As a supporter of the charity:

Post: Supporter Services, Blind Veterans UK Group126 Fairlie Road
Slough, SL1 4PY
Phone: 0300 111 2233
Email: supporter.services@blindveterans.org.uk

If you are a volunteer:

Post: Volunteer Department, Blind Veterans UK Group, 126 Fairlie Road
Slough, SL1 4PY
Phone: 020 7616 8373
Email: volunteer@blindveterans.org.uk

To enquire further about how personal data is processed, or to make an individual rights request, ask for information to be provided, or to raise a data protection related complaint, please contact our Data Protection Officer.

Post: Data Protection Officer
Blind Veterans UK Group, 126 Fairlie Road
Slough, SL1 4PY
Phone: 020 4534 1127 (direct dial)
Email: dpo@blindveterans.org.uk

Appendix-List of data processors