The Woodsmith Foundation takes your privacy seriously. We are committed to looking after your personal information, handling it in a responsible manner and securing it with industry standard administrative, technical and physical safeguards.
Woodsmith Foundation follows two guiding principles when it comes to your privacy:
Transparency. We work hard to be transparent about what personal information we collect and process.
Simplicity. We strive to use easy-to-understand language to describe our privacy practices to help you make informed choices.
The Woodsmith Foundation is registered as a data controller with the Information Commissioner’s Office (ICO). It is also a registered charity (registration number 1163127) with its main place of business at Woodsmith Foundation, Resolution House, Lake View, Scarborough, YO11. If you have any queries about this privacy notice or about any aspect of WOODSMITH FOUNDATION’s data management please contact our data protection lead at email@example.com.
This Privacy Notice will be regularly updated to ensure that it continues to comply with the latest regulation and best practice. It was last updated on [insert date published on GMS]
Our privacy notice is a detailed guide to how we use your information. It sets out our approach to how we handle your personal information in the following areas. Please click on the links below to access information that is relevant to you and your relationship with us.
Visitors to our website
When someone visits https://woodsmithfoundation.org.uk/ , we use a third party service, Google Analytics, to collect standard internet usage information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. As soon as this information is collected through Google Analytics, users’ IP addresses are made anonymous, and we will not make any attempt to find out the identities of those visiting our website.
Apart from the analytical data captured by Google Tag Manager and Google Analytics, the website will also capture all requests made to the server to detect and prevent fraud and unauthorised access and to maintain server security.
Grant applicants, current and former grant recipients
Application and grant management
We will only ask for as much information as we need to effectively consider a grant application, to manage an award if you are successful and to monitor its progress. In submitting an application, you are agreeing to us processing your data for these purposes and in the ways outlined in this section. To collect information, Woodsmith Foundation uses Formstack (to host our funding eligibility and application form). Our Formstack instance is hosted in the US and complies with GDPR. More information of Formstack Privacy Information is here.
We use Salesforce to store grant data. Our Salesforce instance is hosted in the EEA and complies with GDPR. More information on Salesforce Privacy Information is available here.
If you apply, we will keep a record to enable us to maintain records of your application history should you apply again, including assessment notes. In addition to application data, we will retain any personal data related to the administration or operation of the grant, including name, email address and phone number.
We may use assessors, advisors, consultants, judges or working group members to assist us with the grant application and management process, including evaluation and research activities. Before data is shared with any party, we ensure a data processing agreement which meets the standards of GDPR is in place.
Data about what we fund
Information regarding grants and social investments awarded is published on the WOODSMITH FOUNDATION’s website and in its annual accounts which are submitted to Companies House and the Charity Commission. We also publish our funding data as part of 360 Giving. This will include the title and description of the funding, name of the recipient, date of the award, its duration and the amount awarded. We will not publish address details of individuals who are awarded funding except where these are also the registered addresses of organisations we fund. If you use a personal address for an organisation and do not wish us to publish this information, you must inform us at the point of the funding being awarded.
We may also include information on funding awarded in presentations about the WOODSMITH FOUNDATION’s work.
There may be times we share information with a third party organisation such as a charity or other funder who may contact us for a reference. Most information will be organisational and not personal, but at times personal data (for example the names of senior staff) may be included. This is a legitimate interest as it will improve funding to the sectors we fund.
We may collect personal data from business contacts to enable us to undertake the legitimate activities of the Foundation.
Research undertaken by Woodsmith Foundation
From time to time, the Foundation may undertake research which will involve the collection of personal data. Where possible, this data will be anonymized before publication. Where anonymization is not possible, data will only be shared if explicit consent is received. Any identifiable personal data will be held for up to one year following completion of the project.
Members of the public who make enquiries
If you contact WOODSMITH FOUNDATION with an enquiry, we will store your details only for as long as necessary to enable us to respond to your enquiry and for up to 3 months after our response. This may be by telephone, email or written correspondence. If your enquiry is for pre-application advice, we will hold your details for up to 18 months to ensure we have the data to refer to in the case of you making an application.
Children and Young People
We understand the importance of protecting children’s privacy, especially in an online environment. The site is not designed for or directed at children. We do not knowingly collect Personal Information from minors. If a parent or guardian becomes aware that his or her child has provided us with Personal Information without their consent, he or she should contact us at firstname.lastname@example.org .
If you sign up to our newsletter, we will retain your personal details to enable us to get in touch with you about our work and other relevant initiatives or news through our newsletter. We also provide our newsletter to those we hold legitimate business interests with such as those we fund. You can unsubscribe at any time.
Visitors to our office
If you visit our office, we will ask you to provide your name and contact details to enable us to keep track of attendees in the building. We will not use it for any other purpose. We will however retain details about the numbers of visitors to our offices, for monitoring purposes.
Suppliers and others to whom we make payments
If we have an obligation to pay you (e.g. following delivery of services or to reimburse expenses) we will collect personal data from you to enable us to complete this contractual transaction. We will store this data in our accounting system, Sage and use online banking to make supplier payments, holding transactional data for 7 for tax purposes.
Investment fund administrators and other organisations we contract with are required by anti-money laundering (AML) legislation to verify the identity of their clients. Therefore, for AML purposes we are required to keep personal data about our trustees and directors. This data is reviewed every 6 months to ensure only accurate current copies are retained and out of date information is destroyed. However, Woodsmith Foundation will retain copies of AML documentation sent to investment funds to verify identify for the lifetime of that investment where the AML documentation forms part of the contractual arrangement with that fund.
The Woodsmith Foundation will collect personal data of contacts at investment firms and banks as part of our dealings with them. This will be retained for the length of the contract and then deleted.
IT management systems
The Woodsmith Foundation uses several systems to manage its IT infrastructure. Personal data of users (normally only staff) is collected to enable us to manage and operate our systems and is logged in our accounts held on these systems. This includes:
Google – to warehouse our data and provide us with website analytics
Salesforce – to access, edit and store our data relating to active and previous grants and applications
Microsoft – to provide Office Suite facilities (such as SharePoint, Word, Outlook, etc), including file storage for WOODSMITH FOUNDATION day-to-day operations. Microsoft also provide us with our finance system.
Formstack – to collect and store information relating to funding applications and for information relating to potential applicant’s eligibility for funding
In addition, the Foundation receives IT support from Anglo American. Anglo American have access to all WOODSMITH FOUNDATION systems for the purposes of support and maintenance only and manages WOODSMITH FOUNDATION’s backup and spam management systems. Their contract includes a data processing agreement which meets the standards of GDPR.
WOODSMITH FOUNDATION also contracts with other third parties on a per-project basis. This may necessitate access to specific platforms and the data within. If this is the case, Data Sharing Agreements are put in place between WOODSMITH FOUNDATION and the third party, and access to any sensitive data is restricted as much as possible.
Job applicants, current and former staff
All the information you provide during the job application process will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary.
We will not share any of the information you provide during the recruitment process with any third parties for marketing purposes or store any of your information outside of the European Economic Area. The information you provide will be held securely by us and/or our data processors whether the information is in electronic or physical format.
We will use the contact details you provide to us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you have applied for.
We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary.
The information we ask for is used to assess your suitability for employment. You don’t have to provide what we ask for, but it might affect your application if you don’t. Information on the equal opportunities form will be treated in confidence and will not be seen by staff directly involved in the selection process. The questionnaire will be detached from the application form before the form is seen by those involved in selection, stored separately and used only to provide statistics for monitoring purposes after which point it will be destroyed.
If you are unsuccessful at any stage of the process, the information you have provided until that point will be retained for 6 months from the closure of the campaign.
Information generated throughout the assessment process, for example interview notes, is retained by us for 6 months following the closure of the campaign.
If you are successful, the information you provide during the application process will be retained by us as part of your employee file. This includes your criminal records declaration, fitness to work, records of any security checks and references. Your employment file will also contain all personal data related to your employment at the Foundation. This will be retained for the duration of your employment plus 6 years following the end of your employment. After that time, we will retain basic details of your name, start and end date and job title only for archive purposes.
Personal contact details of employees will be shared with Foundation managers and trustees for the purposes of emergency contact in line with the Foundation’s Disaster Recovery Plan. Personal contact details of nominated emergency contacts for individual staff members will be held on employee files and will only be used in an emergency. These will be deleted within one month of the employee leaving WOODSMITH FOUNDATION.
Data processes and HR
We may use recruitment agencies to assist us with filling posts. Details of the Privacy Policies of the agencies will be available on their websites.
WOODSMITH FOUNDATION contracts payroll management Ashby Berry Coulsons Further information is available here.
WOODSMITH FOUNDATION uses a variety of social media platforms including Twitter, Instagram, Facebook and LinkedIn. We also use analytics associated with those sites to manage and measure our social media interactions.
Photographs and videos
WOODSMITH FOUNDATION will often use videos, which may be commissioned by us or submitted by those we work with, to illustrate the work of the Foundation and the projects we support and these may involve personal data which we collect as part of the legitimate activities of the Foundation. Videos may be stored on WOODSMITH FOUNDATION systems or hosted on Anglo American.
Videos commissioned by the Foundation may be recorded and edited by external film makers and we will have a data processor agreement which meets the standards of GDPR in place.
From time to time we may showcase videos produced by third parties such as grantees or partners that we work with through our communications channels. In doing so, we will make every Woodsmith Foundation or to ensure suitable permissions and compliance with GDPR are satisfied before use of video.
We may photograph events that WOODSMITH FOUNDATION host or are involved in and we will inform participants that this is the case either by notice or specific forms. Participants have the right to withdraw their consent by following the instructions given.
We will also take photographs of staff – both headshots and at events. Staff will be asked to provide their consent to the use of these photographs.
We may use the photographs in WOODSMITH FOUNDATION publications, social media, website or the press. Photographs will be stored on WOODSMITH FOUNDATION systems and held for up to 5 years, or in the case of staff headshots until the person leaves WOODSMITH FOUNDATION. If we commission an external photographer, we will put a data processor agreement which meets the standards of GDPR in place and the photographer will be bound by the same photograph retention policy.
From time to time we may request images from those we work with to promote the work that we support through our communication channels. In accessing images, we will make every effort to ensure suitable permissions and compliance with GDPR are satisfied before use of the images.
We may collect personal detail about grantees or other individuals involved in the work of the Foundation in order to produce publications about WOODSMITH FOUNDATION’s work. We will obtain the consent of the individuals involved to their inclusion. The information that we include in WOODSMITH FOUNDATION publications is shared through our website and other communications channels, including press releases and social media. In the process of preparing and disseminating publications, we may share information with a variety of third-party processors. For example, graphic designers will often format and arrange printing of content. Proofreaders and / or consultants may be engaged to review work. In all cases we will ensure a data processor agreement is in place which meets the standards of GDPR. WOODSMITH FOUNDATION will retain digital and hard copies of publications in order to maintain an archive of the Foundation and our grantees’ work.
Audit and regulatory requirements
We may share any data about the operation of WOODSMITH FOUNDATION with the Foundation’s auditors, the HMRC, the Charity Commission, the Information Commissioner’s Office, Companies House and other regulatory bodies should this be necessary to complete statutory audit and regulatory requirements.
Under the General Data Protection Regulation (GDPR) which came into force on 25 May 2018 you have rights as an individual data subject which you can exercise in relation to the information we hold about you. Read more about these rights on the ICO’s website.
Complaints and queries
WOODSMITH FOUNDATION tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate.
We would also welcome any suggestions for improving our procedures. To contact us, or raise a concern, email email@example.com . You can also see our complaints policy.
This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of WOODSMITH FOUNDATION’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to our data protection lead at the address in the Introduction above.
If you want to make a complaint about the way we have processed your personal information, you can contact the ICO as the statutory body which oversees data protection law ico.org.uk/concerns
Access to your personal information
WOODSMITH FOUNDATION tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under GDPR. If we do hold information about you, we will:
give you a description of it;
tell you why we are holding it;
tell you who it could be disclosed to;
let you have a copy of the information in an intelligible form; and
correct the information if there are any mistakes.
To make a request to WOODSMITH FOUNDATION for any personal information we may hold you need to put the request in writing addressing it to our data protection lead and emailing firstname.lastname@example.org or writing to the address provided above.
If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.
If we do hold information about you, you can ask us to correct any mistakes by, once again, contacting the data protection lead.
If you object to how we have handled the processing of your data, please make the complaint in writing and email email@example.com.
Privacy notice changes