Big Change Logo
Search

Data Protection Policy

Big Change is committed to protecting the privacy of all those we work for, and with. We fully adhere to the current General Data Protection Regulation (GDPR), Data Protection Act, and the Privacy and Electronic Communications Regulations (PECR). This policy sets out how we treat personal data, and the measures we have in place to protect it.

This applies to all those we fund; our donors and partners; our employees; our contractors; our suppliers; our trustees, and our community members.

Big Change Charitable Trust is the controller of your personal data, and we are responsible for how it is used, and the ways in which it is processed. We are registered with the Information Commissioner Office (ICO) and our registration number is ZA173962. You may exercise your rights under GDPR in relation to your personal data, and we will respond as soon as possible but at least within the required calendar month.

Personal Data Collection

Personal data refers to information that relates to an identifiable individual. Big Change may collect, store and use the following kinds of data:

  • Information that you provide to us to register your interest in us (for example our funding, our newsletter, attending an event, donating to us).
  • Information gathered during a grant giving or funding round, and the management of the grant or funding to you.
  • Information about you as an employee, trustee, contractor, supplier or member of our community.
  • Other information that you choose to provide and send to us.

Processing the Data

We process personal data because:

  • You gave us permission to do so (for example, when you applied for funding).
  • We need to process and manage a contractual agreement that you have
    entered into with us.
  • We have legitimate interest, as part of our mission and strategy as a charitable organisation.
  • We have to meet legal obligations (for example, as an employer)

Your rights are front of mind when we are considering how and why to process any
data relating to you.

The use of Personal Data

Ahead of collecting any personal data, we consider what information we need to move forward with work or partnership with you. It will always be clear why we are asking for the data, and you will be asked for your consent as a first step. Once you have consented we will process the information as outlined in the sections below:

Grant applications and awards

When you apply for funding from us, you will be asked to provide us with details about yourself, usually through an application form online. Sometimes you will have been referred to us, or found through outreach research. We may share information with organisations and individuals with a legitimate interest in our applications, grants and funding rounds. This could be an organisation we have contracted to assist with the delivery of learning and development to support you in your work.

We will also share information that we are legally obliged to supply, for example during an annual audit - to the auditors and accountants. We will publish details of those we award grants to, both on our website, in our social media posts and in our accounts, but we will never publish addresses for individuals.

Donors and partnerships

In order to maintain relationships with our donors and partners, we will store personal data on our CRM system, which can only be accessed by employees of Big Change. We only keep data which is required for us to carry out our business and ensure that we are meeting our reporting obligations to those who fund us.

When considering funding and donation offers, we do carry out due diligence (also known as Know Your Customer) checks to ensure that we are accepting funding in line with our mission and values. When carrying out these checks we only access information which is readily available in the public domain, and access to findings is restricted to the employees at Big Change who need to see the information in order to carry out their role.

We will publish details of those who fund us on our website, in our social media posts, and in our accounts - in line with any grant agreement signed by both parties. We will never publish contact details for individual donors.

Employees and Trustees

We use your personal data when the law allows us to, and in the following circumstances:

  • To meet our obligations and carry out our rights as outlined in your employment contract, and for the purpose of managing the Big Change workforce (such as administering salary and benefits, in communications and emergencies, business planning, and compliance with other organisations who have a legal duty to look over the data of those who work for us, such as auditors and HMRC).
  • When it is necessary for legitimate interests and your rights don’t over-ride our interests.
  • To accommodate a disability, illness or to comply with diversity and anti-discrimation monitoring and legal requirements. This will include some sensitive data.

We only share personal data with third-parties when strictly necessary, and require all those suppliers to adhere to all data protection laws. You will know when we are sharing your personal data and third parties include, our payroll administrators,
pension provider and benefit schemes.

Working with us as a consultant or supplier

If you operate as an individual consultant, we use your personal data when the law allows us to, and in the following circumstances:

  • To meet our obligations and carry out our rights as outlined in your consultancy or supplier contract.
  • When it is necessary for legitimate interests and your rights don’t over-ride our interests.
  • To accommodate a disability, illness or to comply with diversity and anti-discrimation monitoring and legal requirements. This will include some sensitive data.

We will keep records of supplier relationships and these records may include information supplied as part of a tender and procurement process. We only share personal data with third-parties when strictly necessary, such as our bank for payment purposes, and require all those suppliers to adhere to all data protection laws.

Members of our community

Our community is made up of individuals and organisations that have received or are receiving funding and support from us. As a result of this, we will already hold personal data as part of our grant-making process, and consent will have been given when entering into a funding relationship with us. At Big Change we know that we are stronger and more impactful when we collaborate and work together. Therefore we continue relationships, build networks and learning and development opportunities even after grant agreements have come to an end. We will communicate on this legitimate interest basis with you - reaching out when there are opportunities that we feel would benefit you, and others we work with.

Sensitive personal data

Sometimes we need to collect sensitive personal data to enable us to track the diversity of our funding applicants, employees and those we work alongside. We recognise the need to maintain the confidentiality of vulnerable groups and only those who need to know this information will have access to it. For example, it may be necessary to share information like this when assessing a grant application, with those who are part of the decision making panel. It may also be needed when monitoring and evaluating our processes and impact, and we will share data with those who are involved in these projects.

Photographs and videos

As part of our marketing and communication work, we may request, facilitate or receive images or videos from those we work with which would be used to promote our work and that of our partners through our communication channels, such as our website, social media and newsletters. We may use external photographers and film-makers. When using images and videos, we ensure that we have all suitable permissions compliant with GDPR before using them in our communications.

Data Retention

When considering how long to keep your data, we follow the guidance provided by the ICO and we consider the amount, nature and sensitivity of the data, and what we are processing it for. The law requires us to keep financial records for 7 years. Aside from this, any personal data held where no contact has been made will be reviewed biennially, unless you were an employee of Big Change in which case records will be held for 5 years after your last working day.

Data Storage and Security

All employees of Big Change receive cybersecurity and data protection training, and we ask those we work with to either share their own data protection policy or agree to adhere to ours. We use tools to store data, ensuring that these are both ISO
27001 and Cyber Essentials Plus certified, and that they have encryption, monitoring and vulnerability check processes in place. We employ two-factor authentication and impose restricted access where necessary. 

If we do experience a data breach, this will be reported to the Data Protection Officer in the first instance and the Managing Director. Details will be recorded, and immediate remedial action will be taken. Breaches will be reported to the ICO if there is a likely risk to people’s rights and freedoms, e.g. there is a risk of identity theft, discrimination, financial loss, or reputational damage. In the event of a breach like this, the report will be made to the ICO as soon as possible, and within the 72-hour deadline.

Contact

If you have any queries around this policy, the tools we use or the handling of your data, please contact: dataprotection@big-change.org.

Help us support all young people, regardless of their background or circumstances, to thrive in life. Together we can spark lasting change.

Get involved

Chevron

Say hello on socials:

Reach out to us at info@big-change.org

We'd love to hear from you!