How we use and look after your data
To enable us to undertake our charitable objectives we collect and use personal information about individuals. We recognise the trust placed in us by individuals whose information we use.
It is important to us that we are open and honest about the way we use information and we are committed to ensuring that we do so in a manner that is both lawful and respects your privacy.
This notice applies to the general public, our children and families, supporters, employees, volunteers, contractors and customers.
This privacy notice sets out the details about how we collect, use and look after information (known as processing) and what you can expect from us.
The information we collect and the reason for collecting it is different for different groups of individuals.
Privacy Policy
GENERAL SECTION
Table of Contents
Privacy Policy
This policy includes:
- Your rights as an individual
- Contacting us about your information.
- The information we collect, use or access
- How we keep your data safe and how we share that information
- How long we keep information about you
- Changes to this Policy
How we use and look after your data
To enable us to undertake our charitable objectives we collect and use personal information about individuals. We recognise the trust placed in us by individuals whose information we use.
It is important to us that we are open and honest about the way we use information, and we are committed to ensuring that we do so in a manner that is both lawful and respects your privacy.
This notice applies to the general public, our children and families, supporters, employees, volunteers, suppliers and service providers, prospective employees, visitors, contractors and customers.
This privacy notice sets out the details about how we collect, use and look after information (known as processing) and what you can expect from us.
The information we collect and the reason for collecting it is different for different groups of individuals.
The groups of individuals are:
- Babies, Children, Young People (BCYP) and Families
- Supporters
- Volunteers
- Suppliers and Service Providers
- Applicants and Employees
- Visitors
- Contractors/Agency/Bank Workers
- Clients/Customers
Information Used
The information we collect, use or access
Depending on your relationship with us, the services you use and the way in which you support us, the information we hold about you may include the following:
- Your personal details (such as your name, e-mail address, telephone numbers, work address etc);
- Vehicle registration details if you visit a CHAS site;
- Details of contact we have had with you in relation to the provision, or the proposed provision, of our services;
- Our correspondence and communications with you;
- Information about any complaints and enquiries you make to us;
- Information we receive from other sources
- Information used to identify you or devices you use such as IP addresses, MAC addresses or cookies etc.
Key Data Categories
| Background Checks | Data used to verify your identity. Examples include criminal background checks (CRB), criminal history, reference checks |
| Biometric | Refers to unique physical, physiological, or behavioural characteristics of an individual that can be used for automated identification or verification. Examples include facial recognition and fingerprints |
| Browsing Information | Information collected by your web browser as you navigate the internet. Examples include cookie information, browsing time, IP address |
| Business Contact Information | Details used for business contacts. Examples include business email address and business phone number |
| Education & Skills | Information about participation and achievements in various forms of education and training. Examples include qualifications, certifications and employment history |
| Employment Information | Details about a person's work history, current job status, and related details. Examples include contracts, job role, grievances and complaints |
| Family Information | Information about a person's family background, including their relatives. Examples include sibling details, family circumstances, home address and media interests. |
| Financial | Any data that relates to an individual's financial status. Examples include bank account details, credit card numbers and salary/wage details |
| Genetic | Data about an individual's genetic makeup. |
| Government Identifiers | Unique numbers or codes assigned by government agencies to individuals, used for identification and verification purposes. Examples include passport details, driving licence and national insurance number |
| Personal Contact Information | Details used for personal contacts. Examples include personal email address and personal phone number |
| Professional Experience & Affiliations | Refer to your work history and memberships in relevant professional organisations. Examples include trade union or professional body membership |
| Social | Details referring to an individual’s social media account. Examples include social media account and history. |
| Special Categories Data | Special category data, under the UK GDPR, refers to personal data that is considered particularly sensitive and requires extra protection. This includes information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (when used for identification), data concerning health, and data concerning sex life or sexual orientation |
| Travel & Expense | All the financial information related to employee travel and related spending on behalf of a company. Examples include travel booking details and expenses |
| User Account Info | Information associated with a specific user's account on a system, platform, or application. Examples include username, and password |
| Workplace Welfare | Information related to the well-being of employees in a work environment. Examples include bullying and harassment details. |
This list is not exhaustive and provides brief descriptions and examples only.
COVID-19
To support NHS Scotland's efforts in tackling COVID-19, in addition to the information we already collect form you when you visit us, we are now requesting you provide a contact telephone number or postal/email address.
In order to assist in the containment of the virus, we will only share your data when it is requested directly by NHS Scotland and statutory partners. This will only be in the unlikely event there is a cluster of coronavirus cases linked to the premises.
The purpose for which we are processing your personal data is to assist with NHS Scotland's efforts in tackling the coronavirus public health epidemic. This will involve the gathering and, when necessary, the sharing of information with NHS Scotland and statutory partners. Your data will not be used for any other purpose.
Direct Marketing
What legal basis does CHAS have for processing my information?:
For the purposes of Direct Marketing - CHAS relies on the legal basis of "Legitimate Interests" to process your data for post and telephone calls and by "Consent" for email and text message communication.
Why do we use legitimate interest for post and telephone calls?
The purpose of CHAS is to reach and support families in Scotland living with the terrifying heartbreak that their child will die young. We can only achieve this by building and developing relationships with both new and existing supporters. We depend upon traditional direct marketing techniques such as mail and telephone to keep our supporters updated about how they are making a difference to the lives of children and families at CHAS, and to give them further opportunities to experience the joy of giving.
We will not contact anyone who has explicitly said they do not wish to be contacted.
When will you be contacted for fundraising purposes?:
Email and other electronic channels
We will only contact you for fundraising or marketing purposes by email or other electronic means such as SMS if you have agreed to be contacted for these purposes.
Telephone
We may contact you for fundraising or marketing purposes by telephone unless you have told us that you do not wish to receive telephone calls from us or you are registered with the Telephone Preference Service (TPS).
Post
We may send you correspondence by post about our work including occasional appeals unless you have told us that you do not wish to receive such information by post.
What communications will you receive
We will contact you to let you know about the progress we are making and to ask for financial and non-financial support. If you don't want to hear from us, that's absolutely fine, please just get in touch to let us know and we will make sure your wishes are followed. You can contact us by emailing support@chas.org.uk or by calling 0141 779 6180. When you get in touch, please provide details such as your name, postcode and unique CHAS ID number which you will find on your correspondence.
We do not sell or share personal details to third parties for the purposes of marketing. But, if you attend an event run in partnership with another named organisation your details may need to be shared. We will be very clear what will happen to your data when you register.
What happens if you don't respond to the information we send?
We will continue to communicate with you for as long as you continue to engage with CHAS by post plus three years and by phone plus two years. Thereafter your information will be suppressed until it is deleted from the database. Always remember though you can get in contact with us at any time to update your preferences.
How long do we keep your information:
We generally retain your information as long as necessary, for a period of up to 7 years (for example, for Gift Aid, for health and safety, risk assessment, and insurance purposes). We review our supporter database every year to make sure it is up-to-date and delete any data which is no longer relevant or that we are not entitled to retain.
Prospect Research and Wealth Screening
As a fundraising organisation, we carry out targeted fundraising activity to ensure that we are contacting you with the most appropriate communication, which is relevant and timely and will ultimately provide an improved experience for you.
In doing so, we carry out limited in-house profiling and research to help us better understand and communicate with our donors and potential donors. To support this activity, we may use automated or manual processes such as wealth screening to analyse and segment our data using our trusted third party partners. Such information is compiled using publicly available data, e.g. directories, companies house, charity registers, and social media platforms such as LinkedIn. You will always have the right to opt out of this processing.
We may also carry out research using publicly available information to identify individuals who may have an affinity to our cause but with whom we are not already in touch.
We also use publicly available sources to carry out due diligence on donors in line with the charity's Gift Acceptance Policy and to meet money laundering regulations.
If you would prefer us not to use your data in this way, please email us at support@chas.org.uk or call us on 0141 779 6180.
CCTV
CHAS uses CCTV in some of its services to keep children, young people, families and colleagues safe. If you access one of the services where this is the case, you will be told about it.
Website Visitors
What Information We Collect
When you visit our website, we may collect the following types of information:
Technical data: IP address, browser type, operating system, device type.
Usage data: Pages visited, time spent on site, navigation paths.
Cookie data: See section below.
We may also collect personal data if you submit forms, sign up for newsletters, or make donations.
Cookies and Tracking Technologies
We use cookies to improve your experience and understand how our website is used. These include:
Strictly Necessary Cookies: Essential for site functionality (e.g., session management).
Performance/Analytics Cookies: Help us understand how users interact with the site.
Functionality Cookies: Remember your preferences and settings.
Third-Party Cookies: May be set by services such as embedded videos, social media plugins, or analytics providers.
You can manage your cookie preferences via your browser settings or our cookie banner.
How We Use Your Information
We use your data to:
- Provide and improve our website and services.
- Respond to enquiries or requests.
- Analyse website usage and performance.
- Ensure security and prevent fraud.
Legal Basis for Processing
- We process your personal data under the following legal bases:
- Your consent (e.g., for non-essential cookies).
- Our legitimate interests (e.g., improving services).
- Legal obligations (e.g., financial record-keeping for donations).
Sharing Your Information
We do not sell your data. We may share it with trusted third parties who help us operate our website or deliver services, such as analytics providers or payment processors.
International Transfers
Some data may be processed outside the UK. We ensure appropriate safeguards are in place, such as standard contractual clauses.
How we keep your data safe
We ensure that there are appropriate technical controls in place to protect your personal details; for example, our online forms are always encrypted and our network is protected and monitored.
We undertake regular reviews of who has access to information that we hold to ensure that your information is only accessible by appropriately trained staff and volunteers and contractors.
We use external companies to collect or process personal data on our behalf. We do comprehensive checks on these companies before we work with them and put a contract in place that sets out our expectations and requirements.
We may need to disclose your details if required to the police, regulatory bodies or legal advisors.
We will only ever share your data in other circumstances if we have your explicit and informed consent.
How long we keep information about you
We realise it is important for you to know and understand how long we will keep and use your data. We are required by certain laws and regulations to maintain records for certain periods. Once your information is no longer required it is disposed of securely.
CHAS complies with our own internal retention schedules and the retention schedules set out in the NHS Records Code of Practice.
We have included retention schedules within the specific sections as per data subjects.
Individual Rights
Your rights as an individual
We feel it is important that you are aware of your rights as an individual.
The right to be informed - you have the right to be told about how and when your personal information will be used. Our aim is that this notice, in conjunction with statements on other materials, provides a clear and transparent description of how your information will be used.
Right of access - you have the right to request a copy of the information that we hold about you (this is also known as a 'Subject Access Request').
Right of rectification - you have a right to correct data that we hold about you that is inaccurate or incomplete.
Right to be forgotten - in certain circumstances you can ask for the data we hold about you to be erased from our records. You should be aware we are required to keep most information for a minimum period of time.
Right to restriction of processing - where certain conditions apply you have the right to restrict our processing of your information.
Right of portability - you have the right to have the data we hold about you transferred to another organisation.
Right to object - you have the right to object to certain types of processing such as direct marketing.
Right to object to automated processing including profiling. You have the right to ensure decisions about you are not automatically made by a system or technology.
If you have any concerns or questions about your rights as an individual, please contact us.
Your right to know what we know about you, make changes or ask us to stop using your data.
You have a right to ask us to stop processing your personal data, and if it's not necessary for the purpose you provided it to us for (e.g. processing your donation or registering you for an event) we will do so.
Contact us on 0141 779 6180 or support@chas.org.uk if you have any concerns.
You have a right to ask for a copy of the information we hold about you. If you spot any mistakes, please let us know and we will correct them.
If you have any questions, comments or suggestions, please let us know by contacting the Support Services Team, 2nd Floor, Buchanan Tower, Cumbernauld Road, Stepps, Glasgow, G33 6HZ or email support@chas.org.uk.
If you want to access your information, send a description of the information you want to see and proof of your identity by post to CHAS, 2nd Floor, Buchanan Tower, Cumbernauld Road, Stepps, Glasgow, G33 6HZ. We do not accept these requests by email.
If you have any questions, please send these to support@chas.org.uk.
You are entitled to an independent review of our actions should you have a concern or feel we have not respected your rights.
If you feel this is the case, you can register your concern with the UK Information Commissioner's Office. Details on how to do so can be found here on their website (https://ico.org.uk/concerns) or by calling 0303 123 1113.
Contact Information
First line enquiries
Dependent on your relationship with us you can contact specific teams you are engaged with directly.
Contacting us about your information
General enquiries can be directed to the CHAS Information Management Team:
Head of Information Services
Children's Hospices Across Scotland Canal Court 42 Craiglockhart Avenue Edinburgh EH14 1LT Tel: 0131 444 1900 Email:infomanagment@chas.org.uk
Contacting us about your information
Where possible we use publicly available sources to keep your records up to date. We would really appreciate it if you could let us know if your contact details change.
Changes to this Policy
We may change this Privacy Policy from time to time. If we make any significant changes in the way we treat your personal information. We will make this clear on the CHAS Website or by contacting you directly.
SECTIONS AS PER DATA SUBJECTS
Children and Families
This section explains what information CHAS collects, keeps and stores about Babies, Children and Young People (BCYP) and families.
What personal data do we collect?
CHAS holds personal data about you which may include:
- Biometric
- Browsing Information
- Business contact information
- Education and Skills
- Employment
- Government Identifiers
- Personal Contact Information
- Family Information
- Financial
- Genetic
- Personal Identification
- Social
- Special Categories
Why are we allowed to use it
The most important reason for us to hold information is to help us give you the very best care. It helps our team to see the most up to date information and saves you having to repeat things to lots of people.
We process your data in accordance with our legitimate interests in providing high quality, safe and efficient services.
If we have a contract with you, we will also process your data to deliver our services under that contract.
We may also obtain your consent to process your data for example, when using any photography. Where we rely on your consent for processing, you have the right to withdraw your consent at any time. This does not affect the lawfulness of our processing before such withdrawal.
Some data will be collected and used to comply with legal obligations such as complying with Health and Safety regulations.
We sometimes review care records to do clinical audit of the standards of care provided by CHAS against accepted best practice. Audit results are published and/or presented in an anonymous format so that individuals cannot be identified.
Other ways we may use information could be in education awareness raising or research, but we would always seek your permission before doing this.
Having up to date contact information helps us keep in touch with you and we will check this with you regularly.
Where does it come from
Data you give to us
Information provided by you or by a relative so we can provide our services to you and ensure the highest standard of care.
Data we collect when you use our services
As part of your engagement with us, we will collect data as part of providing the service and this will be ongoing
Data from outside organisations
Data may be provided by external Clinicians, NHS bodies, Local Authorities or other organisations who support you.
Who shared with and why
With your consent, your information is also shared with other professionals who work with you such as NHS, Local Authorities and other organisations who support you. You have the right to refuse to allow us to share information with other health care professionals, unless it is a matter of child or vulnerable adult protection.
Prescribers within CHAS have access to patients Emergency Care Summaries (ECS - electronic GP records on medicines and diagnosis) via source board or GP. ECS is recommended by the Scottish Government as one of the best medicines information sources to use for medicines reconciliation at transition of care.
Our external regulators, Healthcare Improvement Scotland and Care Inspectorate, look at care records as part of their inspection of the service.
If shared overseas
N/A
Retention Schedule
Baby, Child, Young person and Family member data is retained in line with CHAS’s data retention policy, which closely aligns with the NHS Data retention policy.
This data is stored securely on our Clinical Data system “The Care Database”, for the purposes of accurate clinical and social care record keeping in accordance with the requirement of the General Medical Council (GMC), Nursing and Midwifery Council (NMC) and The Scottish Social Services Council (SSSC).
Data will be retained in accordance with CHAS data retention policies for clinical records
Supporters
This section explains what information CHAS collects, keeps and stores about CHAS Supporters.
If you support us, for example to make a donation, register to fundraise, or sign up for an event.
What personal data do we collect?
CHAS holds personal data about you which may include:
- Background Checks
- Personal Identification
- Education & Skills
- Contact Information
- Special Categories data
- Personal Contact Information
- Employment Information
- Professional Experience & Affiliations
- Financial
- Social
Where it is appropriate we may ask for:
- Information relating to your health (for example if you are taking part in a high-risk event)
- Your motivation for giving, including whether this relates to any personal experience of CHAS. We will never make this question mandatory, and only want to know the answer if you are comfortable telling us
Why are we allowed to use it
The main reason we use your data is to provide you with the services, products or information you asked for.
We process your data in accordance with our legitimate interests to administer your donation or support your fundraising, including processing gift aid. We also rely on our legitimate interests to keep a record of your relationship with us and understand how we can improve our services, products or information
We may also obtain your consent to process your data to manage your marketing preferences.
Some data will be collected and used to comply with legal obligations such as complying with financial due diligence requirements.
We will sometimes analyse the data we hold to build a picture of the kind of people who are supporting us. We may use external sources to help us to do this but will always respect your privacy.
We may also use external sources to help us keep your data up to date.
From 13 June 2022, Children's Hospices Across Scotland (CHAS) will operate under a new communication and contact policy for supporters' data. Whilst continuing to follow an "opt in" (consent) approach for all activity through email and text, CHAS will use legitimate interest as basis for post and phone communications activity. A combination of these two approaches has been deemed the most appropriate approach in meeting the needs of the charity and the expectations of our supporters, following a review of our previous policy.
Where does it come from
Data you give to us
You may give us your information to sign up for one of our events, tell us your story, make a donation, purchase our product or communicate with us. Sometimes when you support us, your information is collected by an organisation working for us (e.g. professional fundraising agencies), but we are responsible for your data at all times.
Data we collect when you use our services
Whatever it is about CHAS you are interested in, we really want to be as tailored as we can in our communications to you. We also want to engage with you in the best possible way; to help us do this, we will sometimes analyse things like what you are interested in and where you live to help us engage with you in a meaningful way. This is important because it cuts down on broad ranging communications and helps us ask for donations or give information based on what we know they would like to hear about.
Data from outside organisations
Your information may be shared with us by independent event organisers; for example, the London Marathon or fundraising sites like Just Giving or Kiltwalk. These independent third parties will only do so when you have indicated that you wish to support CHAS. You should check their Privacy Policy when you provide your information to understand fully how they will process your data.
Depending on your settings or the privacy policies for social media and messaging services like Facebook, WhatsApp or Twitter, you might give us permission to access information from those accounts or services.
You may also provide permission for third party organisations to share your data with other third parties, including charities. You may do this when you buy a product or service, register with a website that runs competitions or register with a comparison site.
The information we get from those services depends on your settings or the responses you give, so you should regularly check them.
Like most websites, we use "cookies" to help us make our site - and the way you use it - better. Cookies mean that a website will remember you. They're small text files that sites transfer to your computer (or phone or tablet). They make interacting with a website faster and easier - for example by automatically filling your name and address in text fields.
In addition, the type of device you're using to access our website or apps and the settings on that device may provide us with information about your device, including what type of device it is, what specific device you have, what operating system you're using, what your device settings are, and why a crash has happened. Your device manufacturer or operating system provider will have more details about what information your device makes available to us.
The website uses a cookie for Google Analytics. It does not capture or store personal information but merely logs the user's IP address which is automatically recognised by the web server. This is used to record the number of visitors to our site and volumes of usage.
For more information about Google Analytics visit the Google Analytics website.
If you do not wish to accept cookies on to your machine you can disable them by adjusting the settings on your browser. However, this will affect the functionality of the CHAS website.
We also work with third parties who support our work and raise money.
For this reason, there are third party cookies on our website. If you accept these, we will show you adverts on other websites that are relevant for you.
If you do not want these cookies to be stored on your PC it is possible to opt out here and here without affecting your navigation around the site.
Who shared with and why
Data may be shared with third party organisations who run analysis on our supporters so we can understand them more and third party organisations who we run events with.
If shared overseas
N/A
Retention Schedule
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected — including for legal, accounting, or reporting obligations — in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
We store and manage supporter information securely in our customer relationship management (CRM) system, Raiser’s Edge, which helps us maintain accurate records and ensure compliance with data retention best practices.
Supporter Data Retention Schedule
| Data Type | Purpose | Retention Period |
|---|---|---|
| Contact details (e.g., name, email, address, phone), Donation records & Gift Aid, Consent and communication preferences | Communications, fundraising, updates, financial reporting, HMRC compliance, lawful marketing | Up to 7 years from last meaningful interaction (e.g. donation, event attendance, email engagement) |
| Legacy pledges | Managing and administering legacy gifts | Until the gift is received plus 7 years or pledge withdrawn |
Note: In Raiser’s Edge, supporter records are routinely reviewed and flagged for deletion or anonymisation once they reach the end of their retention period, unless we are legally required to keep them for longer (e.g. for safeguarding or tax purposes).
When data is no longer needed, we either delete it securely from the system or anonymise it so that individuals can no longer be identified.
Volunteers
This section explains what information CHAS collects, keeps and stores about CHAS Volunteers.
What personal data do we collect?
CHAS holds personal data about you which may include:
- Browsing Information
- Background Checks
- Business contact information
- Education and Skills
- Travel & Expense
- Professional Experience & Affiliations
- Personal Identification
- Personal Contact Information
- Social
- Special Categories of data
- Employment Data
- Financial
- User Account Info
Why are we allowed to use it
We will only use your data for the purposes of volunteer management in CHAS and you will only be contacted about your volunteering activity. You will not be contacted about fundraising unless you are also registered with CHAS as a supporter.
We process your data in accordance with our legitimate interests to manage your relationship with us and manage your activities.
Data may be used to comply with an legal obligation such as background checks and recruitment into CHAS Volunteer roles.
Where does it come from
- Data you give to us
- On completion of application form.
- When you leave your volunteering, or if you apply and do not go on to become a volunteer, we will delete your record on our database in line with our record retention guidelines.
- We may also use external sources to help us keep your data up to date and to send you the latest information about our services.
- Data we collect when you use our services to manage our relationship with you and your volunteering activities
- Data from outside organisations
Data may be shared with external auditors or standard bodies.
Who shared with and why
Not shared
If shared overseas
Not shared oversees
Retention Schedule
When you leave your volunteering, or if you apply and do not go on to become a volunteer, we will delete your record on our database in line with our record retention guidelines.
We may also use external sources to help us keep your data up to date and to send you the latest information about our services.
Visitors
This section explains what information CHAS collects, keeps and stores about CHAS Visitors.
If you work at, or make a visit to any of our sites, for example to work, to train, to visit any of our children or their families in the hospices, make a donation, volunteer etc, we will usually collect some information about you. You will always be asked to sign in at Reception on all sites - whether it is via an iPad or on paper
What personal data do we collect?
CHAS holds personal data about you which may include:
- Contact Information
- Car Parking Registration
- Employment Information
We maintain a register of staff, visitors and contractors who enter our buildings. For this register we will keep the details you provide such as name, company details, and vehicle details and registration.
Why allowed to use it
We process your data in accordance with our legitimate interests to manage visitors to our sites and in line with legal obligations around health and safety.
Where does it come from
Data you give to us
Directly from you as you visit a CHAS site.
Data we collect when you use our services
N/A
Data from outside organisations
N/A
Who shared with and why
N/A
If shared overseas
N/A
Retention Schedule
This information is required for health and safety and security purposes and will be for held for one month and then deleted. Car Parking Registration
We will collect and retain your vehicle details if you register them when signing in. We use the data you provide to ensure effective car park management.
This information is held for one month and then deleted.
Suppliers/Service Providers
This section explains what information CHAS collects, keeps and stores about CHAS Suppliers and Service Providers.
What personal data do we collect?
CHAS holds personal data about suppliers and service providers which will include:
- Full business name and address
- Contact details
- Email for BACS remittances and orders
- Bank details
- VAT number
Why allowed to use it
We process your data in accordance with our legitimate interests to manage payments and invoicing and to complete due diligence of third-party vendors. Data may also be used for the performance of a contract so that we fulfil our obligations.
Where does it come from
Data you give to us
- When completing a New Supplier Form
- When completing a tender or onboarding assessment or completion of a contract.
Data we collect when you use our services
- To manage our relationship with you and to fulfil payments and invoicing as per contractual agreements.
Data from outside organisations
N/A
Who shared with and why
Your data may be shared with:
- Internal teams for operational purposes
- Regulatory bodies or authorities where required by law
A GDPR assessment for new suppliers is undertaken by Information Management at CHAS to evaluate data protection risks. Therefore we ensure that any third parties we work with comply with data protection regulations and only use your data for agreed purposes.
If shared overseas
N/A
Retention Schedule
In the UK specific business documents, especially financial and tax records for legal and regulatory compliance are retained for a period of seven years. CHAS adopts this approach for all financial records including supplier data and this is in line with CHAS’s data retention policy.
Employees
This section explains what information CHAS collects, keeps and stores about CHAS employees and workers
What personal data do we collect?
CHAS holds personal data about you which may include:
- Background checks
- Previous employment history
- Education and skills
- Professional experience and affiliations
- Personal identification
- Unique government identifiers (e.g. National Insurance number)
- Personal contact information
- Family information (e.g. emergency contacts)
- Special category data (e.g. health or diversity information)
- Employment data (e.g. job role, contract type, performance)
- Financial data (e.g. salary, pension, benefits)
- Travel and expenses
- Data relating to IT and system usage, such as browsing activity and access logs.
Why allowed to use it?
We process employee data to:
- Verify qualifications and professional experience
- Fulfil our legal and regulatory obligations, including safeguarding those in our care
- Manage employment relationships effectively and fairly
- Ensure compliance with employment law and health & safety requirements
Our lawful bases for processing this data include legal obligation, performance of a contract, and legitimate interests.
Where does it come from?
Data you give to us:
Data you share as part of recruitment process and throughout your employment.
Data we collect through your use of internal systems and services:
We collect data generated through your use of CHAS systems and digital platforms. This may include:
- System access logs
- Email and calendar usage
- Browsing activity on CHAS devices or networks
- Use of collaboration tools and internal applications
This data helps us ensure system security, monitor compliance with internal policies, and support operational efficiency.
Data received from outside organisations:
We may receive data from external sources during recruitment or employment, including:
- References from previous employers
- Verification of qualifications or professional memberships
- Background check results from authorised providers
- Information from regulatory or safeguarding bodies
This data supports our legal obligations and helps ensure the integrity and safety of our workforce and those in our care.
Who is it shared with and why?
Your data may be shared with:
- Internal teams for HR, payroll, and operational purposes
- External service providers (e.g. payroll processors, pension providers)
- Regulatory bodies or authorities where required by law
- Training and development partners
We ensure that any third parties we work with comply with data protection regulations and only use your data for agreed purposes.
If shared overseas
If your data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, such as standard contractual clauses or adequacy decisions, to protect your information.
Retention Schedule
Employee data is retained in line with CHAS’s data retention policy. This means we keep your data only as long as necessary for employment, legal, or regulatory purposes, and securely delete it when no longer required.
Clients/Customers
This section explains what information CHAS collects, keeps and stores about CHAS Clients and Customers
If you support us, for example to make a donation, or buy something from our shop or online.
What personal data do we collect?
CHAS holds personal data about you which may include:
- Contact Information
- Financial
Why allowed to use it
The main reason we use your data is to provide you with the services, products or information you asked for.
We process your data in accordance with our legitimate interests to administer your donation or support your fundraising, including processing retail gift aid. We also rely on our legitimate interests to keep a record of your relationship with us and understand how we can improve our services, products or information
We may also obtain your consent to process your data to manage your marketing preferences.
Some data will be collected and used to comply with legal obligations such as complying with financial due diligence requirements.
Where does it come from
Data you give to us
You may give us your information in order to make a donation, purchase our products or communicate with us.
Data we collect when you use our services
If you use your credit or debit card to buy something we will use a specialist payment processor. We will also ensure that card details are handled securely under Payment Card Industry (PCI) Data Security Standards.
Data from outside organisations
N/a
Who shared with and why
Any data that you supply will only be used for the purposes we collected it for. CHAS has a legal requirement to share data with the HM Revenue and Customs (HMRC) to collect Gift Aid on the sales of second-hand goods sold from our shops. CHAS is legally obliged to inform you of these sales so that you can check you are paying enough tax to cover the claimed amount. We will use your information to keep our records up to date. This includes recording any changes of address and Gift Aid declaration renewals and will communicate with you via your preferred method. You may opt out of the shops’ gift aid scheme at any time. You are given 21 days’ notice to stop any claim.
If shared overseas
N/a
Retention Schedule
We will typically store data relating to customer for seven years after their last donation or interaction. Once the retention period has expired, the information will be confidentially disposed or permanently deleted, or anonymised