Data Protection and Privacy Policy

Data Protection and Privacy Policy

The purpose of this policy is to ensure that all staff of Right To Play (also referred to as RTP) are informed about personal data and their responsibilities for the proper collection, handling and storage of personal data to ensure the safeguarding of personal information. Right to Play is committed to processing data in accordance with its responsibilities under current legislative compliance acts and applicable industry governance compliance programs and best practices including, but not limited to, PIPEDA (Personal Information Protection Electronic Documents Act), PHIPA (Personal Health Information Protection Act), PCI DSS (Payment Card Industry Data Security Standard) and GDPR (General Data Protection Regulation).

1. Overview

Right To Play UK is a charity registered in England and Wales (Charity number: 1112404) and in Scotland (Charity number: SC052331). Its mission is to protect, educate and empower children to rise above adversity.

Right To Play UK supports children in development and humanitarian contexts in Africa, Asia and the Middle East, working in partnership with Right To Play International (Registered in Canada: 88880 4218 RR0001, and co-located in London and Toronto) and Right To Play offices in Europe and North America.

Right To Play UK’s main focus within the UK is income generation and awareness raising. It gathers and manages personal data relating to existing and prospective staff, trustees, volunteers, supporters and donors for these purposes.

This policy sets out Right To Play UK’s commitment to ensuring that any personal data it processes is managed in compliance with the UK Data Protection Act 2018, UK GDPR and all relevant EU data protection legislation, and that good data protection practice is understood and conducted by all staff and volunteers across the organisation.

The policy and related procedures have been approved by the Right To Play UK board will be reviewed on an annual basis.

2. Principles

Right To Play UK complies with the data protection principles set out below. When processing personal data, it ensures that:

• it is processed lawfully, fairly and in a transparent manner in relation to the data subject
• it is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
• it is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed
• it is accurate and kept up to date, and that reasonable steps are taken to ensure that any personal data which is inaccurate is erased or rectified without delay
• it is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which it is being processed
• it is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Right To Play UK will facilitate any request from a data subject who wishes to exercise their rights under data protection law as appropriate, always communicating in a concise, transparent, intelligible and easily accessible form and without undue delay.

3. Scope

This policy applies to all UK personal data and its use by any part of the global Right To Play organisation. Any UK partnership agreement (e.g. corporate, media, institutional donor) must also comply with Right To Play UK’s Data Protection and Privacy Policy.

4. Definition of terms

Third Party: An organisation or business which is external to Right To Play UK and the Right To Play global organisation.

Partnership agreement: An agreement or contract with a Third Party which is external to Right To Play UK.

5. Roles and responsibilities

Right To Play UK is the ‘data controller’. The UK Operations Manager leads on data protection for Right To Play UK, supported by the National Director and Right To Play UK Board.

All Right To Play UK employees and volunteers, as well as the employees of Right To Play International working within the UK, are required to comply with the Data Protection and Privacy Policy at all times. It is their responsibility to ensure that they understand and follow the Policy and complete all training as required.

Right To Play UK Finance & Operations staff are responsible for ensuring that any other person or organisation working for, or in partnership with, Right To Play UK, does so in compliance with the Data Protection Policy.

6. Procedures

6.1 Data Collection

6.1.1 Right To Play UK collects personal data relating to existing and prospective trustees, supporters and donors for income generation and awareness raising purposes.

6.1.2 Right To Play UK collects personal data relating to existing and prospective staff, trustees and volunteers for employment purposes.

6.1.3 Where consent is relied upon as a lawful basis for processing data, evidence of consent is gathered and stored.

6.1.4 Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent will be clearly available and systems are in place to ensure such revocation is reflected accurately in Right To Play systems.

6.2 International Transfer

6.2.1 The UK GDPR restricts data transfers to countries outside the UK to ensure that the level of data protection afforded to individuals by the UK GDPR is not undermined. The UK has issued regulations confirming that Canada, a country to which RTP UK transfers personal data, ensures an adequate level of protection of any personal data collected by RTP UK.

6.3 Data Processing

6.3.1 Right To Play UK takes every reasonable step to ensure personal data is accurate and up to date, and is kept for no longer than necessary.

6.3.2 Access to personal data is carefully manage and limited to necessary roles.

6.3.3 Right To Play UK shares UK personal data with Right To Play International in its role as the provider and manager of the global Right To Play supporter database in which Right To Play UK stores all personal data.

6.3.4 Right To Play UK works with Right To Play International to manage access to UK personal data, across the global organisation, ensuring that this is limited to specific roles and locations as needed.

6.3.5 Right To Play UK will only share data with a Third Party for specific service provision (e.g. IT or analysis) when there is a contractual agreement in place. We will not permit any Third Party to use this data for its own purposes.

6.3.6 Right To Play UK will not sell personal data to a Third Party.

6.4 Data Storage

6.4.1 Right To Play UK will ensure that personal data is stored securely based on information security best practice.

6.4.2 Right To Play UK will employ the use of appropriate data back-up and disaster recovery solutions.

6.4.3 Right To Play UK ensures that personal data is not kept any longer than necessary and that it is deleted promptly once it has reached this point.

6.5 Individual Rights

6.5.1 Individuals have the right to access their personal data and understand how it is being used.

6.5.2 Right To Play UK responds promptly to any request from an individual to view their personal data and will correct any inaccuracies without undue delay.

6.5.3 Right To Play UK will respect the individual’s right to ask for their data to be deleted or to limit how it is used and will do so promptly if requested.

6.6 Data Breach

6.6.1 In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data, Right To Play UK will promptly assess the risk to individuals rights and freedoms and, if appropriate, report this breach to required authorities complying with relevant legislative acts.

6.7 Training

6.7.1 Right To Play UK ensures that all staff and volunteers are appropriately trained on Data Protection and that this is updated on a regular basis.

6.8 Review

6.8.1 This policy will be reviewed on an annual basis.7. Related policies

Right To Play UK Privacy Standard: Version 2, Approved by UK Board, April 2022.

Corporate Privacy Policy

Right To Play is committed to protecting the privacy of the personal information of its employees, volunteers, members, customers, donors and other stakeholders. We value the trust of those we deal with, and of the public, and recognize that maintaining this trust requires that we be transparent and accountable in how we treat the information that you choose to share with us.

During the course of projects and activities, Right To Play frequently gathers and uses personal information. This privacy policy describes how Right To Play collects, uses and discloses personal information. Right To Play does not sell, barter or lease donor, sponsor or other fundraising lists.

Defining Personal Information

Personal information is any information that can be used to distinguish, identify or contact a specific individual. This information can include an individual’s opinions or beliefs, as well as facts about, or related to, the individual. Exceptions: business contact information and certain publicly available information, such as names, addresses and telephone numbers as published in telephone directories, are not considered personal information.

Information in the public domain is not subject to privacy legislation and as such is not included in this policy.

Where Right To Play customers and clients use their home contact information as business contact information, Right To Play considers that the contact information provided is business contact information, and is not therefore subject to protection as personal information.

We consider donor and volunteer information always to be personal information, and do not disclose information about donors or volunteers without consent.

Right To Play observes the following practices when collecting, maintaining and using personal information:

Consent

An individual’s consent is required regarding the collection and proposed use of personal information when information is collected. Consent can be either express or implied and can be provided directly by the individual or by an authorized representative. Express consent can be given orally, electronically or in writing. Implied consent is consent that can reasonably be inferred from an individual’s action or inaction. An individual’s consent is required before confidential information is released to outside parties.

Cookies

Right To Play’s websites use persistent cookies within visiting browsers to enable the functions of the website and for tracking performance. Specifically, cookies are used the following ways:

• Preserving and expiring visitor sessions on the site (e.g. preserving data between steps of a process; and ending the session after a period of inactivity)
• Storing font size preferences on the site
• Enabling web analytic tools (such as Google Analytics, Clicktale, and iPerceptions – see below)

Cookies are used anonymously and without storing Personally Identifiable Information (PII). Visitors that wish to opt-out of cookies should review the help documentation for their browser software to decline or selectively decline cookies. Note that declining cookies may adversely impact site performance.

Webpage and Mobile Analytics

The Right To Play website uses Google Analytics and to track performance. Analytic applications use persistent cookies to track visitor sessions, visitors across multiple sessions, and referral sources to our sites. We also track the performance of promotional links to our site using analytics. At no time is personally identifiable information (PII) passed to Google Analytics. Note that Google Analytics stores its data within the United States of America and is subject to US laws. We use this data to understand site performance to serve you better. Those wishing to opt out of Google Analytics data collection should use the Google Analytics Opt-out Browser Add-on.

Limited Collection

The collection of personal information is limited to that which is relevant and necessary to our programs and fundraising efforts. Right To Play shall not make unwarranted or intrusive inquiries into a donor or prospect’s gift history or personal life. Right To Play attributes all data that it collects.

Limited Use, Disclosure and Retention

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.

Accuracy

Personal information shall be as complete, accurate and up-to-date as possible. Donors are encouraged to review, correct and update personal information.

Security Safeguards

Personal information gathered by Right To Play shall be kept in confidence. Right To Play’s personnel shall be authorized to access personal information based only on their need to deal with the information for the reason(s) for which it was obtained.

Appropriate physical and electronic measures shall be used to ensure personal information is secure. Access to donor and volunteer records shall be limited to those who require such information to fulfil their job responsibilities. Special protection shall be given to all records pertaining to anonymous donors. The confidentiality of donor and volunteer records shall continue after the relationship with the individual has ended.

Confidentiality

Donors who request that their name and/or the amount of the gift not be publicly released shall remain anonymous.

Openness

Upon request, individuals shall be given access to the information in their donor record.

Further information on privacy and your rights in regard to your personal information may be found on the website of the Privacy Commissioner of Canada at www.priv.gc.ca and at the European Commission Website for GDPR (General Data Protection Regulation) https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en