1. IMPORTANT INTRODUCTORY NOTE.
Firstly, welcome to the world of AutoRaise. Please do not be scared of this Privacy Notice - it is not intended to tie you in knots of complex legal-speak, and it is not a frightening list of terms and conditions with which you have to comply.
The purpose is to inform you, as simply and effectively as we can, about how we are dealing with data protection. Since our work has young people at its core, you need to be assured we are being as professional as possible, so let's cut to the chase.
2. WHO WE ARE.
AutoRaise is a British registered charity (number 1170068) whose sole aim is to deal with what is widely recognised as a chronic and acute skills crisis in the vehicle accident repair industry. We have a wide range of trustees and industry sponsors who fully support us in this mission, together with a growing number of vehicle accident repair companies and other industry specialists whose support we also enjoy.
You can find details of our work on two websites; the first being the business one at AutoRaise.co.uk, and the second, which is primarily for young people interested in getting into the industry, at careers.autoraise.co.uk. In a nutshell, here is our mission...
Our mission is to find young people who want to work as vehicle accident repairers and match them up with employers to help solve the skills crisis. They can work with us as AutoRaise Cadets and/or AutoRaise Apprentices. If as cadets, they can be eased into, nurtured by and supported via AutoRaise and the industry through voluntary, part-time work. If as apprentices, they can earn as they learn and be supported by us along their journey. The mission is win-win for all parties.
Our values and our charity status are such that we focus entirely and with integrity on the interests of the young people we represent. We put them front and centre and undertake never to take advantage of them in any way nor, to the best of our ability, to allow others to do so. We do not charge for our services.
We are registered with the Information Commissioner's Office (ICO) whose official guidance we have endeavoured to follow in putting this notice together. By registering, we effectively declared our intention to take data management and protection seriously. Our Data Controller is our Chief Executive Officer (CEO) Bob LINWOOD. [email protected]
This notice is being published to comply with the General Data Protection Regulation 2018 (GDPR 18) which reflects the Data Protection Act 1998.
3. WHO WE ARE NOT.
We are not in this for profit, for us or anyone else except those commercial partners who act as agents of change for the industry - like employers/repairers - so that vehicles are repaired with top-notch professionalism via the teams our young people will work with. We are not in this for glory or money-grabbing, and we are not in the business of, and will never engage in, data re-sale, direct marketing, data or personal manipulation, subject profiling, advertising or marketing (except to promote the charity) or any of the sometimes dubious technological practices about which people are becoming increasingly frightened, which includes derived or inferred information (that's techie-speak for the sort of techniques and tricks some companies use to suck you in and sell you things or do inappropriate things).
4. WHAT WE WILL DO WITH YOUR INFORMATION.
We necessarily collect and hold onto a little information about people in order to fulfil our aims and objectives. Obviously we need to know a bit about who we're dealing with, but we undertake only to collect and use the minimum amount of information, especially regarding young people who, as stated, are our reason for being.
So, for some people (like a school teacher advising on careers choices) we might only need email address, school name and where they work. For others, like young people who we might try to place with an employer, we'll need name, email, town, age, parent email and where the child can travel to in order to work. There may be a few other bits and pieces, but nothing sensitive, intrusive or special category.
We might obviously want to share some of this with others, like employers, but we'll only pass on what is essential. We undertake to use information only in ways that people would reasonably expect and declare that our business cannot reasonably be conducted in any other way. We further undertake to review what we hold at least annually (probably at the time our ICO re-registration is due) and to delete what we don't need.
5. WHO WE UNDERTAKE TO BE.
We undertake to act lawfully and with fairness, openness, transparency, integrity and security. Apart from our legal responsibilities, our ethics are such that we have no reason not to be fair and lawful. In all cases, we undertake only to process information when it is irrefutably and solely in the interests of the young people we serve.
A significant part of proper data management and information security boils down to effective risk management. In this regard, our view is that:
- Risk should be eliminated wherever possible. Our team have been briefed to adopt the position of only recording and processing personal data if necessary. If it isn't, we will eliminate the risk by not doing so.
- Risk can be reduced by sticking to the agreed procedures, our Data Protection and Key Principles Policy, using common sense and by being prudent.
- Risk can be accepted by getting things right first time every time, which is our aspiration.
6. WHO WE RECEIVE INFORMATION FROM.
We have analysed who we get personal information from and the current list is:
- Our business-to-business website - for example general interest enquiries via webforms, potential trustees, emails of support or with questions
- Our careers website - potential cadets or apprentices and/or their parents, general queries
- Responses to e-shots and publicity (newsworthy items like National Apprentice Week 2018) - schools, colleges, careers advisors and industry players
- Generic emails
- Training Providers
- Employees of the charity
All such personal information is subject to the rules on Data Protection and will be treated within the rules and principles outlined above and below, and depending on which lawful reason we have for getting it, as we'll explain below.
7. OUR LAWFUL BASES.
To comply with GDPR 18 we must, as outlined above, act within the law. To do so we have elected to use two of the lawful bases laid out by the ICO, which in a very real sense also give us our reasons for being fair. These bases are:
- Legitimate Interest. In order to help young people get a job in our industry, and help them along their career path, we must obviously find out who is interested; establish who they are (e.g. name, address, age etc); work out who, in addition to but apart from us, they should engage with, when and how this will happen (e.g. potential employers) and then effect the appropriate introductions. We also have to work the other way round and use data on employers, partners and others who can assist us and the young people. Each of the people in the list in Section 6 above, together with the AutoRaise team itself, are declared as having such a Legitimate Interest.
- Consent. In addition to Legitimate Interest, we have made a policy decision to treat all minors (i.e. those aged under 18 years of age) as requiring consent from a parent or someone with parental responsibility to engage with us up to the point when the minor becomes legally independent. Consent has been and/or will be sought in every case where we can reasonably establish it is required. Consent can be withdrawn at any time.
Whichever basis is concerned, we undertake that the net effect is that young people, and those helping them, will benefit from it. Looking at things from the other end of the telescope, the intended use of personal or other data is highly improbable to cause any individual to complain, object or be disadvantaged.
8. OUR TECHNOLOGY AND RESOURCES.
We are a relatively small charity with limited resources.
- We have a formal agreement with an external third party company that acts as our custodian of certain data and who manage our two websites and a central database containing details of people and organisations from Section 6 above. They do not act independently and receive instructions on what to do, and what not to do, from our CEO/Data Controller. Their Legitimate Interest, ethos and associated working practices (associated with AutoRaise) are identical to ours. Their Data Controller and ours have worked and will continue to work together to be compliant with GDPR 18.
- All the digital material the AutoRaise employees hold is on individual computers and is managed in accordance with our new Data Protection and Key Principles Policy V1.00 dated May 2018 which covers information security, access and systems compatible with our various functions as individuals and as a charity, and which are all reasonable given our limited size and comparatively modest corporate ambitions. Wherever feasible, files will be stored "in the cloud" and password protected. On the limited number of occasions when hard copy (paper) is required, similar methods, strictures and procedures will apply, e.g. lockable cabinets with restricted access.
9. WHO THE PERSONAL AND OTHER DATA WILL BE SHARED WITH.
There is a necessity for us to gather, collate, hold and use information in order to fulfil our charity functions as outlined above. However, we undertake only to share subject data (and only the the relevant bits of your information) with those bodies who have a legitimate interest in them and you, e.g. a potential employer or as required by a law enforcement agency, and to pass on only that which is essential for their and our lawful task in hand, e.g. effecting an introduction to someone useful to the subject, like an employer or a college.
Apart from internal data (daily pay rates, personnel data, CVs etc), which as the name suggests is and will remain internal for charity administration, the ways we will use information are:
- To find out who is interested in our work, e.g. young people, parents, partners and employers
- To find out and manage who needs our help, e.g. young people wanting a cadetship or apprenticeship, or schools helping them
- To manage the young person's employment journey, e.g. parents and the young person him/herself
- To manage and promote the charity
- To manage our regulatory responsibilities
We undertake sensibly to annotate certain data-sets with protective marking, for example spreadsheets containing details of cadets with, "AutoRaise - Confidential - Not For External Distribution" or similar.
No details will be passed to anyone outside the UK.
10. YOUR RIGHTS.
Under GDPR 18 you have the following rights that you can exercise at any time and with which we have to comply. We've added a very brief explanation for each.
- The right of access. (This means fully seeing what we hold about you and being able to understand it, and being able to check we're being lawful.)
- The right to rectification. (This means you telling us to correct anything we may have got wrong, e.g. mis-spelled name, incorrect address.)
- The right to erasure. (This means you telling us to delete your data from our systems permanently. It's essentially the right to be forgotten.)
- The right to restrict processing. (This means you telling us to stop or not do something with part of your information, e.g. we can keep it but not use it. We should point out this might be counter-productive since we are here to help, but it is a right you have.)
- The right to data portability. (This means we have to get your data to you exactly as we have it so you can use it elsewhere for other services. This right will almost certainly not apply to you, not least because it is very limited.)
- The right to object. (This means that in the unlikely event we do something unfortunate, you can say we are out of order and can officially complain.)
- Rights relating to automated decision making and profiling. (We don't do this sort of stuff so it is not applicable, but it relates to, for example, the tricks advertisers use to build up an economic or psychological picture of you.)
Our team have been briefed at all times to ask themselves whether the data we hold is justifiably held. If it isn't, it will be deleted.
In the unlikely event that you feel your rights have been breached you can contact us or the ICO.
11. IN SUMMARY.
We have covered the key points of the ICO's guidance, namely:
- What information is collected and by whom
- How and why it is collected
- How it will be used and by whom, including data sharing
- The effects on the individual - all positive and none likely to be negative
If you have any queries regarding this Privacy Notice, or wish to be deleted from our systems, please contact us and we'll get back to you as soon as possible.
- Chief Executive Officer and AutoRaise Data Controller: [email protected]
- Queries: [email protected]
- Registered charity number and address: 1170068 AutoRaise, 12 Market Walk, Saffron Walden, Essex, CB10 1JZ. Tel: 0845-644-0339