Potential Plus UK Privacy Policy – May 2021


Overview / Purpose

This privacy policy sets out how we collect, use and store any personal information we may have about you.  It applies to any personal data we collect, as well as data provided to us by 3rd parties and our members.

When sharing personal data with Potential Plus UK, you can be sure that:

  • We only collect the information that we need in order to be able to support you.
  • The information is collected and held securely, so you know your information is safe.
  • We will use your data to make sure that your experience with us is personalised, supportive and efficient.
  • You can review and update the information we hold about you at any time.
  • You can change your preferences and have full control over which communications you receive from us.

Potential Plus UK is committed to meeting and complying with any and all of its obligations under the Data Protection Act of 2018 and is registered with the Information Commissioner’s Office for that purpose.

Scope

This privacy policy covers Potential Plus UK’s employees, casual workers, trustees, and volunteers (including committee officers at its branches), all of whom are data processors in relation to the personal information we hold about you.

Definitions

EEA – European Economic Area

ICO – Information Commissioner’s Office: the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

GDPR – General Data Protection Regulation: The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area implemented in the UK by the Data Protection Act of 2018. It also addresses the transfer of personal data outside the EU and EEA areas.

Policy

This privacy policy requires Potential Plus UK to follow the requirements as laid out in detail in Appendix 1 about what information we collect and hold about service users and potential service users, and how we use it

Monitoring and Reporting

Compliance with the privacy policy is implemented through staff induction and internal procedures, including the use of the membership database and secure digital and hard copy folders to hold service-user data. Access to personal data is restricted to individuals and teams with specific roles. It is monitored and reported monthly at the employee team meeting.

Compliance is implemented through the Branch Service Level Agreement and internal procedures, including the use of the membership database.

Compliance, as well as exception reporting, is shared at every Board of Trustees’ meeting as a standing item as part of GDPR.

Exceptions require written authorisation by the Chief Executive. An example might be personal data required by a Local Authority in connection with a Safeguarding concern. Exceptions are recorded and held securely in the digital folder Confidential Admin.

This policy is reviewed every 3 years.  We may update it at other times if any important changes occur about how data is being processed. We may also send an email at that time to make service users aware of any important changes.

Training

General training will be provided as part of employee or casual worker induction. This is the responsibility of the line manager and is recorded in the digital folder Confidential Admin.

Specific training is provided for all employees, casual workers, trustees and relevant volunteers every three years around the time of policy review by the trustee with responsibility for GDPR or by the volunteer Data Protection Officer. It is recorded in the digital folder in Confidential Admin.

Roles and Responsibilities

  • Board of Trustees: responsible for approval of the policy.
  • Chief Executive: responsible for the implementation of the policy with employees, casual workers and branch volunteers through the Service Level Agreement.
  • Trustee with responsibility for GDPR: responsible for guidance on this policy.
  • Data Protection Officer: helping with queries arising from this policy.
  • All employees, casual workers, trustees and branch volunteers: requirement to read and apply this policy.

Related Standards, Policies and Processes

  • Confidentiality Policy
  • Cookies Policy
  • Retention Policy and Schedule

Appendix 1 the information we collect and hold and how we use it


What personal data do we collect about you?

The Basics

There are different types of data about you that we may collect, store and process depending on your relationship with us.

This can include:

  • Personal information about you in order to support you, your family or school – such as your name and contact details, and bank details
  • Ethnicity information, which is voluntarily provided, so that we can monitor and evaluate our reach and impact
  • Special categories of data which require more protection, such as personal family or school information for assessment purposes, or special educational and behavioural information for events
  • If you use our website, we will also record your IP address and information about which of our web pages you are accessing and when – this is important for us to be able to improve our website and enhance your online experience.See our cookies statement for more information.

Depending on your relationship with Potential Plus UK we may also need additional information to find out more about you and how we can help.  Please see below.

If you are applying for membership or are a current or former member

Depending on whether you are applying for or renewing your Potential Plus UK membership, phoning us for advice, or having an assessment for your child, the personal information we collect from you will vary.  This includes:

  • Your membership history
  • Your income or financial situation (if you are applying for concessionary membership or scholarship funding for an assessment)
  • Details about your child’s educational needs (if you are applying for scholarship funding for an assessment, attending an event, or taking up an assessment)
  • Details of the school or organisation through which you have associate membership (where applicable)
  • Payment information such as bank or credit card details

We may also collect personal data about you from certain parties, for example:

  • Potential Plus UK branches, for example, in order to attend their activities
  • Schools and academies, for example, to add into assessment reports
  • Other charities and organisations involved in the support of HLP children, such as your child’s membership number of British Mensa in order to access Associate Family membership

If you attend a training course or an event

If you attend a Potential Plus UK training course or event, we will collect and process personal data about you.  This includes sensitive personal data that you provide to us voluntarily, such as your payment information when booking a course, educational and behavioural information about you and/or other attendees, permissions for film and/or photographs.

If you have an assessment or an advisory call for your child

If you arrange an assessment or advisory call for your child, we will collect and process sensitive personal data about your child, including:

  • Age
  • Gender
  • Type of schooling
  • Current and past educational concerns
  • Behavioural and sensory issues
  • IQ and other test results

How we use your personal data

General Uses of your data

Without your personal data, we wouldn’t be able to provide many of the services and benefits our members receive as part of their membership.  Your data is also important in helping us to regularly review, analyse and improve what we do.

If you choose not to share personal information with Potential Plus UK, we may not be able to assist you or provide guidance when you request it.

Below are some examples of how we use your personal data in the way we communicate with you and provide our services, depending on your relationship with us.

  • Understanding how you use and interact with the Potential Plus UK website and social media – including posting, commenting or sharing our social media posts, or anything on the Potential Plus UK website or YouTube channel.
  • Understanding how you use our website so we can learn about your experience, address any issues and improve our digital presence.
  • Using data for business analysis and reporting on key information such as our membership demographic and the impact we are having.
  • Making sure our marketing and sales communications are tailored to specific groups through data profiling.
  • Physical and IT security monitoring, so that we know your personal data is well protected.

If you are applying for membership or are a current or former member

Your personal data allows us to:

  • Verify your identity, your eligibility for concessionary or associate membership and to process your membership payment.
  • Provide you with membership benefits and services.
  • Contact you by telephone, post, email or SMS to let you know about events, services and membership benefits, or to find out about your opinion on proposed services and benefits, or education provision for high potential learners – unless you let us know that you would prefer not to receive this type of communication.

If you are booking for events, assessments or advisory calls

Your personal data allows us to:

  • Process event, assessment or advisory call bookings.
  • Arrange your attendance and send you relevant information.

How we share your personal data

Sharing information with third parties

We sometimes need to share your data with third parties who help us provide our services.

We will never share your personal data with other companies or organisations for their own marketing or promotional purposes.  We also make sure that any third parties who have access to your personal data keep it confidential and only use it in ways that you would reasonably expect.

These third parties include:

  • Outsourced digital membership platform (e.g. YourMembership)
  • Outsourced IT and security support (e.g. Virtual IT)
  • Outsourced event organisation IT (e.g. TryBooking)
  • Outsourced website support (e.g. Fifteen)
  • Xero accounting programme
  • Payment providers and banks, who allow us to receive and process funds (e.g. PayPal, PaySafe)
  • Potential Plus UK assessors, proof readers and trainers, who work for us
  • Potential Plus UK volunteer-led branches
  • Legal professionals such as accountancy company for annual audit
  • Independent panel for scholarship funding
  • Other contacts you have nominated and authorised for us to speak to about your membership and any related matters

Sharing information with other members of Potential Plus UK

Members of Potential Plus UK have the opportunity to engage in the online community, which forms essential peer-to-peer and expert support. Visible information is limited to Nickname and photograph (if the member opts to upload one) and Region. Members can choose to share more information by adjusting their profile setting. Members must accept a connection from someone to enable them to message each other. Members who do not wish for this limited information to be visible can contact Potential Plus UK and request a ‘hidden’ member account. Please note that should they then choose to participate in the community groups, that they could still receive requests for connection from other members.

How long do we hold your personal data?

We hold onto your personal information for as long as is necessary to fulfil the purposes we have outlined in this privacy policy, and to comply with our own legal obligations (whichever is longer).

If you would like to find out more about the Potential Plus UK’s retention policy and schedule for data, please contact the Data Protection Officer at dataprotectionofficer@potentialplusuk.org .

What happens when your data is transferred outside the European Economic Area (EEA)?

Potential Plus UK’s membership database and accounting programme use systems located in the USA and complies with the Data Protection Act 2018 through Standard Contractual Clauses which govern the exchange of data between the EEA and the systems located in the USA.

In this way, we continue to make sure that your personal data collected, used and stored by the same standards and for the same purposes we highlight in this privacy policy.

We have a number of controls and safeguards in place to help us ensure your data is protected – including secure transfers of personal data, and appropriate model contract and data protection clauses.

Keeping your data secure

We only use systems which are proven to be resilient and which will handle your personal data with confidentiality and integrity.  We use encryption and authentication tools to keep your data safe and secure.

You can also be sure that your personal data is protected behind secured networks and only accessible by authorised people, who are viewing or updating your information according to agreed procedures.

How the law allows us to process your information

Our legal basis for processing data

Potential Plus UK collects and processes your personal data on the legal basis that:

  • We need it in order to perform a contract, or when taking steps to enter into a contract with you – such as when you are considering joining Potential Plus UK as a member
  • We need it to comply with a legal obligation specific to our organisation
  • We need it for our legitimate business purposes (listed below), while taking into account your rights and freedoms in a relation to data
  • You have given consent for us to use your data for our business purposes, for example when we send you information about community events, new services, fundraising campaigns and impact evaluations
  • You can withdraw your consent at any time by logging into your member account at https://community.potentialplusuk.org/

There are also legal obligations around processing special categories of personal data, as defined in the Data Protection Act 2018.  We process this type of data on the basis that we provide confidential advice and assessments of children to our members and to non-members.

What are Potential Plus UK’s legitimate interests?

‘Legitimate Interests’ mean the interests of Potential Plus UK in how we process your data if we have not obtained your consent in advance.  We process personal information for legitimate business purposes to:

  • Provide you with communications on Potential Plus UK services and benefits which we think will be of interest to you.This is because although members may leave membership when their children grow older, we believe many past-members retain a strong relationship with Potential Plus UK and often wish to re-engage either as supporters or when grand-children become old enough to require Potential Plus UK’s services, and
  • Suppress contacts with you where you have withdrawn your consent.If you wish us to stop contacting you by email, then we will need to hold your email address to ensure that no further email is sent to you.

Whenever we process data for these purposes, we will ensure that we always keep your Personal Data rights in high regard and take account of these rights.  You have the right to object to this processing if you wish, in which case please email amazingchildren@potentialplusuk.org Please bear in mind that if you object this may affect our ability to carry out the tasks above for your benefit.

What rights do you have?

The law gives you a number of rights in relation to your personal data.

You can contact us by email, phone or post if you would like to request any of the following:

  • To be told how your personal information will be used as set out in this privacy policy
  • To ask what information we hold about you and request a copy of that information, subject to exemptions
  • To have your personally identifiable data deleted.For more information about this, please contact our Data Protection Officer on dataprotectionofficer@potentialplusuk.org
  • To ask for your records to be updated, if you believe they are inaccurate
  • For processing of your personal data to be restricted, which you can do in certain situations
  • To raise a valid objection to your personal data being processed.

Please include your name, email address and postal address in your request.  We may also ask for proof of your identity.

We will confirm that we have received your request within 5 working days and provide a response within 30 working days.

You can also lodge a complaint at any time about our treatment of your personal data with the Information Commissioner’s Office (http://ico.org.uk).

When do we contact you?

There are three main reasons for us to contact you by email.

  • Statutory communications. So that we can comply with our legal obligations as a registered charity, we send you statutory communications including a link to the Annual Report and Accounts, notice of the Annual General Meeting and notice of any other general meeting.
  • Service communications. To tell you about membership – including information about your renewal or any important changes to your membership.
  • Membership communications. You can tell us if you would like to receive information about services, events and activities relating to high learning potential children, as well as fundraising campaigns and impact evaluations.

If you would rather not receive marketing communications from us, you can let us know at any time by using the unsubscribe function in our emails, changing your preferences on your membership account, emailing us at amazingchildren@potentialplusuk.org or calling us on telephone number 01908 646433.

Keeping us updated

Keep your information up to date by letting us know if any of your details, such as your email, changes. The easiest way for you to do this is by logging into your membership account at https://community.potentialplusuk.org/

Become a Member

Families benefit from access to our advice line, our electronic resources and our Focus newsletter.

Schools benefit from access to our advice line, online resources and the High Learning Potential Best Practice Award.