Data Protection Policy

From Wikimedia UK
Jump to: navigation, search
This policy was approved by the Board on 21 April 2012. It is part of a series of Staff Policies. (approved revision, subsequent changes)
Changes to this policy are subject to board approval, and should be proposed either on the talk page or the Engine room

Approval history:

22 April 2012 - Initial adoption (approved revision)

25 May 2013 - Amendment to include European Economic Area/Data Protection Act requirements (approved revision)

17 May 2018 - Amendment to include GDPR update - minutes to follow (approved revision)

Introduction

Wikimedia UK is committed to protecting and respecting your privacy and your personal information. This data protection policy sets out how and why we obtain personal information, how we use it, and what steps we take to protect it. It describes the lawful basis on which we do this and your rights in respect of your data. It tells you how to get in touch if you have any further questions.

Our website policy describes what cookies we use on our website and their purpose.

Who we are

Wikimedia UK is a company limited by guarantee (number 6741827) and a registered charity (number 1144513). We are the UK chapter of the global Wikipedia movement. This policy relates to information which is obtained by Wikimedia UK and which Wikimedia UK uses.

What we do

Wikimedia UK's DPA certificate

Wikimedia UK works in partnership with organisations from the cultural and education sectors and beyond in order to unlock content, remove barriers to knowledge, develop new ways of engaging with the public and to enable learners to benefit fully from the educational potential of the Wikimedia projects.

We support the development of open knowledge in the UK, by increasing understanding and recognition of the value of open knowledge and advocating for change at an organisational, sectoral and public policy level. Our members and supporters help us do this by:

  • Fundraising and donating money, services or gifts-in-kind
  • Campaigning for change and engaging in public debate
  • Participating in voluntary activities such as editathons.

What personal data we collect

Membership data: this is information you give us when you join Wikimedia UK. This will include your name, address, email, telephone numbers, date of birth, and country of residence. This may also include bank details, data regarding participation in events, contributions to Wikimedia websites, membership of or affiliation to other organisations (for example, a university) and data from third party sources such as social media.

We keep this information while you are a member and for a period of three years after the date on which your membership ceases.

Supporter data: this is information you give us when you donate time, money, services or goods to Wikimedia UK. This may include your name, aliases, address, email, telephone numbers, date of birth, bank details and country of residence. This may also include data regarding participation in events, contributions to Wikimedia websites, membership of or affiliation to other organisations (for example, a university). This information may come to us directly from you, or indirectly from third party sources such as social media or when, for example, you purchase goods or services through a third party site.

We keep this information for a period of three years from your most recent interaction with us, unless you give consent for us to hold it for longer or unless otherwise required by law.

Volunteer data: this is information you give us when you participate in Wikimedia or partner organisations events or activities. This may include your name, aliases, address, email, telephone numbers, date of birth, bank details and country of residence. This may also include data regarding participation in events, contributions to Wikimedia websites, membership of or affiliation to other organisations (for example, a university). This information may come to us directly from you, or indirectly from third party sources such as social media or when, for example, you purchase goods or services through a third party site.

We keep this information for a period of three years from your most recent interaction with us, unless you give consent for us to hold it indefinitely.

Contractor data: this is information you give us when you enter into a contractual relationship with us, whether as a member of staff, a supplier or in some other capacity. This data may include your name, national insurance, pension and tax details, bank details and the amount(s) you have paid to or been paid by Wikimedia UK. This may also include your address, email, telephone numbers, date of birth, and country of residence. This may also include data regarding participation in events, contributions to Wikimedia websites, membership of or affiliation to other organisations (for example, a university) and data from third party sources such as social media.

We keep this information for a period of seven years from your most recent interaction with us, unless otherwise required by law.

Cookies: We collect information about your interactions with our website using cookies. We might also obtain your personal data through your use of social media such as Facebook, Twitter or LinkedIn. To change your settings on these services, please refer to their privacy notices, which will tell you how to do this. Our use of cookies is covered by a separate policy here.

How we use personal data

We hold and process personal data of members, supporters, volunteers and contractors. We use it as follows:

Members: We use this data in order to fulfil our commitments as a membership organisation, to ensure the proper conduct of the organisation and to meet our obligations under our Articles of Association and as required by law.

Supporters: We recognise that supporters have a legitimate interest in how we use their donations and that this interest persists after a donation is made. We use this data to keep a record of donations made and actions taken by our supporters, to keep supporters informed of our activities and how their donations are being used, and to solicit further support, both financial and in kind. We also use the data to record and monitor how we communicate with supporters.

Volunteers: We recognise that volunteers have an ongoing and legitimate interest in our activities and that this interest persists after a contribution is made. We use this data to keep a record of donations made and actions taken by our volunteers and our communications with them, to keep volunteers informed of our activities and how their donations are being used, and to solicit further support, both financial and in kind. We also use the data to record and monitor how we communicate with volunteers.

Contractors: We use contractor data for the proper administration of our contracts, to comply with existing legislation, and in the course of our normal business.

This means that the lawful basis for us processing your personal information described above will be one or more of the following:

  • because it is necessary to fulfil a contract that we have in place with you; or
  • because the processing is necessary for compliance with our legal obligations; or
  • because we have a legitimate business interests or
  • because we have your consent to keep and use the data

Where we are made aware that there is no lawful basis for keeping personal data, we will delete it.

Wikimedia UK will not, under any circumstances, share or sell your personal data with any third party for their own marketing purposes, and you will not receive marketing from any other companies, charities or other organisations as a result of giving your personal data to us.

How we govern the use of personal data

The Board of Trustees recognises its overall responsibility for ensuring that Wikimedia UK complies with its legal obligations. It reviews data systems and procedures annually to ensure compliance with the law and good practice. Day to day responsibility for data management is delegated to the CEO, who has the following responsibilities:

  1. advising the Board on data protection and related policies
  2. ensuring data security
  3. approving data protection-related statements on publicity materials and letters
  4. ensuring that staff have appropriate training in data protection and
  5. receiving and responding appropriately to data inquiries

All staff and volunteers are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work. Each member of staff, trustee and volunteer at Wikimedia UK who handles personal data will comply with the organisation's operational procedures.

Wikimedia UK has registered with the Information Commissioner's Office under the Data Protection Act. Our registration number is Z3098483.

Because confidentiality applies to a much wider range of information than GDPR, Wikimedia UK has a separate Confidentiality Policy. In the event of any conflict, this Data Protection Policy takes precedence.

How we store personal data

Wikimedia UK has an electronic database holding information about all members, supporters, volunteers and contractors. We also hold physical records which includes attendance records, correspondence, emails and minutes of proceedings at events or meetings.

  • Paper records will be stored in locked cabinets
  • Electronic records will be stored on computers protected with alphanumeric passwords
  • Electronic backups are kept securely, in line with industry standards.

Only authorised personnel for whom access to the data is necessary for the performance of their duties will have access to it.

Personal Data relating to any electronic interactions with Wikimedia UK will be held on a computer within the European Economic Area, as required by our ICO registration.

Accessing and changing your data

Everyone has the right to know what data we hold, to confirm that it is accurate and, in the absence of any lawful grounds for us keeping the data, to ask that it be deleted. We will respond to any requests to change or delete data within 30 days.

If you would like more information, or have any questions about this policy, or to access, change or request deletion of your data, please write to: yourdata@wikimedia.org.uk

We may need to ask you to provide:

  • proof of your identity
  • proof of your home address
  • any information that we reasonably need to locate the information you have requested

Requested data will be provided in electronic format at no charge.

To make a formal complaint about Wikimedia UK's approach to data protection or raise privacy concerns directly with our data protection team, please contact:

The Data Protection Officer

Wikimedia UK

5-11 Lavington Street

London

SE1 0NZ

You also have the right to make a complaint direct to the UK's data protection authority, the Information Commissioner's Office (ICO). The ICO can be contacted here.

Concerns can be also be logged via the ICO website.

Transparency

Wikimedia UK is committed to ensuring that members and supporters are aware:

  1. that their data is being processed
  2. to what purpose it is being processed
  3. what types of disclosure are likely, and
  4. how to exercise their rights in relation to the data.

Those on whom Wikimedia UK holds data will be informed in the following ways:

  1. Members: as part of the process of joining or of renewing membership
  2. Supporters: as part of the process of making donations and through the website
  3. Volunteers: in the volunteer welcome/support pack, at events and through the website

Contractors: through correspondence and, in the case of staff, through the Staff Handbook.

Changes

This Privacy Policy may be updated from time to time so you may wish to check it each time you submit personal information to Wikimedia UK. The date of the most recent revisions will appear on this page. If you do not agree to these changes, please do not continue to use the Wikimedia UK website to submit personal information to Wikimedia UK. If material changes are made to the Privacy Policy we will notify you by placing a prominent notice on the website.

References