1.0 OUR USER PRIVACY AND DATA PROTECTION ETHOS

We have some core beliefs surrounding the data we hold, collect, and process. These are:

• The privacy and protection of the data we hold is fundamentally important

• We have a duty of care to the people whose personal data we have

• We should only collect and process the data we need – nothing more

• We will not sell, rent, distribute, or make the data we hold public

2.0 RELEVANT LEGISLATION

This website, and our internal data policies, are intended to comply with the following pieces of legislation:

• UK Data Protection Act 1998 (DPA)

• EU General Data Protection Regulation 2018 (GDPR)

By complying with the above legislation, we and this website should also comply with the data protection and privacy requirements of many other countries and territories. 

However, if you are unsure if the site is compliant with your own country’s requirements, please contact our data protection officer, for whom details can be found below.

3.0 PERSONAL INFORMATION: WHAT WE COLLECT AND WHY

This website collects and uses personal information for the following reasons:

3.1 WHAT PERSONAL DATA WE HOLD ON OUR MEMBERS AND SUPPORTERS

If you have provided it, we hold the following:
a. Your name, postal address, email address and telephone number
b. Your Twitter, Facebook, LinkedIn and other social media identifiers
c. Details of payments you have made to us
d. Your bank account and sort code (if you have authorised us to take direct debits)
e. Issues you are interested in (if you sign petitions we publish).

3.2 HOW WE GET YOUR PERSONAL DATA

All the data we hold has been supplied by you to the Britain Project, directly or via an online system which you have authorised to supply it to us. For example, a payment or social media system.

3.3 HOW WE USE YOUR PERSONAL DATA

We use your data for three purposes:
a. If you are a member, to manage your membership, including collecting your subscription, enabling you to exercise your membership rights (for example by voting in elections) and to provide information on the activities you are paying for. This enables us to fulfil our contract with you.
b. If you are a member or supporter, to provide you with information on our activities, including asking for financial support for them and collecting any payments you have authorised. This reflects our legitimate interests.
c. If you have made a payment to us, to keep accounting records. This enables us to meet our legal obligations.
d. If you contact us by email, we will hold the information you provide so that we can communicate with you. This reflects our legitimate interests.

3.4 WHO WE PROVIDE YOUR DATA TO

We only provide your data to other people for the purposes above as follows:
a. To our own staff, volunteers and contractors (including data processing companies) who are under a legal duty to keep it confidential.
b. To HM Revenue and Customs, the Electoral Commission or similar organisations, where we are required by law to do so.

We may use your data in connection with an activity arranged by an organisation working in partnership with us (for example, organising a conference) but we will not share your data with them.

We do not sell or share your data.

3.5 HOW LONG WE KEEP YOUR DATA FOR

If you ask us to delete it, we will delete your data as soon as reasonably practicable. The only exception to this is if you have made a payment to us – in this case we will not delete your data while we are legally required to retain it in our accounting records, usually for six complete financial years.

Unless you ask us to delete it, we will keep your data for as long as we are likely to use it for one of the purposes set out above, which may be indefinitely. We will regularly delete data which we believe is no longer accurate or up to date.

3.6 YOUR RIGHTS IN RELATION TO YOUR DATA

Whenever you ask us to, we will do the following as soon as reasonably practicable:
a. Send you a copy of any data we hold on you
b. Delete any data held on you, except where we are legally required to retain it
c. Correct any errors in the data we hold on you, and notify anyone we have shared it with, if reasonably practicable to do so
d. Stop processing your data, while continuing to hold it, unless and until we decide we have a legitimate interest in resuming processing it that overrides your request.

We will not charge you for doing any of these things.

Whenever we communicate with you we will provide you with an opportunity to opt out of receiving communications about our activities. Communications about your existing subscription or the governance of the Britain Project are not marketing communications and we will continue to send you these if you are a member.

If you wish to exercise any of these rights, or to ask for more information, please email us at info@britainproject.co.uk or write to us at The Britain Project, 22 Portsmouth Avenue, Thames Ditton, Surrey KT7 0RU

3.7 SITE VISITATION TRACKING

Like many other websites, this site uses Google Analytics (GA) to track users’ interactions with it. We use this data to understand how our site is being used, for example:

• The number of people using it

• The pages users visit

• The journey users take through the site

• Where users enter the site

• Where users come from

• Where users exit

• The demographics of our users

GA records data such as geographical location, device, internet browsers, and operating system. It does not personally identify you to us.

GA also records your device’s IP address which could be used to personally identify you. It does not grant us access to this.

We consider Google to be a third party data processor (see section 6.0 below).

GA uses cookies. Details about these can be found on Google’s developer guides. So you’re aware, our website uses the analytics.js implementation of GA.

Disabling cookies in your browser will stop GA from being able to track your journey and details on this website.

3.8 CONTACT FORMS AND EMAIL LINKS

If you contact us using the contact form on our website, or an email link none of the data that you supply will be stored by this website or passed to/be processed by any of the third party data processors defined in section 6.0.

The data you provide (including your email address if you use an email link) will be collated into an email and sent to us over the Simple Mail Transfer Protocol (SMTP).

We use Gmail as part of GSuite to receive, store and send emails for our domain dontpanic.agency & dontpanicdesign.co.uk. GSuite can accept insecure and secure email messages. We request that you send your emails securely by TLS (sometimes known as SSL) meaning that the email content is encrypted using SHA-2, 256-bit cryptography before being sent across the internet. The email content is then decrypted on Google servers and we access this securely (over SSL) through our desktop browsers and Gmail applications on our mobile devices. Further details about GSuite and how it processes/stores data can be found below.

4.0 ABOUT THIS WEBSITE’S SERVER

This website is hosted on a server provided by Big Wet Fish in Gosport.

Their privacy policy is available here, and their terms of service here.

Our servers retain access logs, error logs, security logs, mail and service logs to allow us to monitor our servers in order to maintain them and keep a level of security. These logs may store personally identifiable information in plain text locally on each server. All logs are deleted after 200 days.

The personally identifiable information the logs may store includes:

• Time/Date

• IP address

• Request URL

• Browser

• Protocol

• Email address

• Referrer paths

Our website and server are protected by Cloudflare’s services which act as a relay between your browser and our web server.

5.0 OUR THIRD PARTY DATA PROCESSORS

We use some third parties to process personal data on our behalf. We only do this where it would be impractical to do otherwise. We have chosen these third parties carefully, look for them to be compliant with the legislation set out in section 2.0. This includes where they are not based within the EU.

The third parties are as follows:

• Google (including GSuite [Gmail, Drive, Sheets, Docs, Meet, Calendar, etc], Google Analytics, and Google Webmaster Tools)

• Xero (for accounting)

• Starling Bank (for accounting/banking)

• Skype (for communication)

• WhatsApp (for communication)

• Slack (for communication)

• Mailchimp (for communication)

• Zoom (for communication)

• Facebook for Business (for management of Facebook Pages)

• Keeper (for usernames and passwords)

• Trello (for project management)

6.0 DATA BREACHES

We will report any unlawful data breach of this website’s database or the database(s) of any of our third party data processors to any and all relevant persons and authorities as required by law.

7.0 DATA RETENTION

We pride ourselves on only storing the data we need. With that in mind, we conduct a biannual data review of the information we hold and delete anything we no longer need, or which we have held for at least 12 months without usage. This takes place on or around the following dates:

• 1st May

• 1st November

If we encounter data at any other point we believe we no longer need, this is deleted.

We will only hold personal data for a longer period in order to fulfil our contractual or legal obligations.

8.0 DATA ERASURE REQUESTS & DATA SUBJECT ACCESS REQUESTS

In order to make a data erasure request, or data subject access request please contact our Data Protection Officer whose details are listed below.

9.0 DATA CONTROLLER

The data controller’s registered office and operating office is:

The Britain Project, 22 Portsmouth Avenue, Thames Ditton, Surrey KT7 0RU

10.0 DATA PROTECTION OFFICER

The data protection officer is:

Wyn Evans, The Britain Project, 22 Portsmouth Avenue, Thames Ditton, Surrey KT7 0RU