Privacy Policy

St Olave’s & St Saviour’s Schools Foundation
Privacy Statement
At the Foundation, we take your privacy and personal data seriously and we are committed to letting you know how we use your personal information and to do so responsibly. References to “we”, “us” and “our” in this Privacy Policy are references to the St Olave’s & St Saviour’s Schools Foundation CIO, a charity registered in England and Wales, No.1181857. We aim to ensure that all personal data collected, stored and processed is managed in accordance with the General Data Protection Regulations (GDPR).

The Foundation seeks to hold the minimum amount of information required to enable it to perform its functions. Personal data refers to any information relating to an identified or identifiable natural living person. This includes information such as name or other identifier, location information or another online identifier (including email address). In addition, there are additional special categories of personal data which we may collect, including racial or ethnic origin and age. We will only hold and process data in accordance with the information provided below. Data may be held in both paper and electronic formats. We collect information directly from yourself or from a grant application. The GDPR requires that personal data be dealt with according to six principles, which the Foundation follows:

• Information is processed lawfully, fairly and in a transparent manner;
• Information is collected and processed for specific, explicit and legitimate purposes;
• Information is adequate, relevant and limited to what is necessary;
• Information is accurate and kept up to date;
• Information is kept for no longer than is necessary; and
• Information is processed in a manner that ensures it is appropriately secured.

We will only process personal data where:
• You have provided explicit consent;
• The data is required to enter into or fulfil a contract;
• We have a legal obligation to hold the data;
• The data is necessary to ensure your vital interests;
• If the data is necessary to perform tasks in the public interest; or
• If we have a legitimate interest in processing the data to achieve our charitable
aims and objectives.

No automated decision making processes are operated by the Foundation.
In the event that a third party has access to your personal data through their operational
role with the Foundation (for example, the providers of IT support), we will obtain
assurances that their systems and processes are maintained in accordance with the
GDPR requirements.

  1. Information about you
    January 2022
    1.1.We will collect personal information from you when you apply for a grant. This may
    include your name, title, physical and email addresses, telephone numbers, bank
    details, age and any further information which we require or you divulge to us in
    relation to your grant application.
    1.2.We will not sell or pass on to any organisation personal information other than as
    identified in this policy, without explicit consent.
  2. Our use of your information
    Grants
    2.1.We will use your personal information to process your grant request, communicate
    with you and if successful, make payments to you. Your grant application confirms
    your explicit consent for us to process your data for these purposes. We maintain
    an electronic grants recording system on which your data will be held.
    2.2.We may share the information provided in your grant application or that you
    subsequently provide to us, with other grant funders who might be more suited to
    your particular application or where we are unable to fund you for some other
    reason. We will only do this where we believe there is a reasonable chance that
    another organisation might be in a position to provide you with a grant.
    2.3.We may share your name, addresses and telephone numbers together with basic
    information regarding your grant application with the London Borough of Southwark
    or organisations working in the area to monitor the overall coverage and
    effectiveness of grant funding in the Borough. We will not share your bank details
    for these purposes.
    Audit
    2.4.In order to undertake their work, we will share documents and other records with
    our auditors. This may include personal information in respect of anyone with
    whom we engage. This data will be incidental to the completion of the audit and will
    not be shared any further.
    Legal
    2.5.In the event that a circumstance arises where we are required to share personal
    data with lawyers, we reserve the right to provide that data to them in accordance
    with legal obligations.
  3. Security
    3.1.We will take reasonable precautions to prevent the loss, misuse or alteration of
    information you give to us. We may communicate with you by email and such
    communications will not be encrypted.
    3.2.Whilst we will endeavour to keep our systems and communications protected
    against viruses and other harmful impacts, we cannot bear responsibility for all
    communications being virus free.
    3.3.In the unlikely event of a suspected data breach, we will investigate the
    circumstances and if a breach appears likely, inform the Warden (Chair) of the
    Foundation and if necessary, the Information Commissioners Office (ICO) within 72
    January 2022
    hours of the suspected breach being identified. If we believe there is a risk of a
    potential impact on you, eg the risk of a financial loss, we will contact you directly to
    inform you of the breach. We will record all suspected breaches in our internal
    breach log. In the event that a breach has been suspected, we will take actions to
    mitigate the risks to you.
    3.4.All staff are provided with training on our data protection policies as part of their
    induction process.
  4. Retention
    4.1.We will keep your personal data for the period that your grant is active and for a
    further six financial years. We will keep financial records in accordance with
    government requirements (currently six financial years after the year in which the
    final payment is made) and a summary of grants given and to whom, indefinitely.
    4.2.Where a grant application is not successful, we will keep your personal data for
    one financial year after the year in which you apply. We will however keep a record
    of your name, a short description of what you applied for and that you did not
    receive a grant, indefinitely.
  5. Cookies
    5.1.If cookies are used, they will only be used to assist the purposes set out in this
    policy.
  6. Subject Access Requests
    6.1 You have the right to make a “subject access request” to gain access to the
    personal information that the Foundation holds about you. This must be made in
    writing to the Foundation office and proof of identity will be required before the
    request can be processed. We will process your request within one month of
    receiving both your request and your proof of identity. The right to make a request
    is extended to individuals who hold Power of Attorney for an individual, who can
    make requests on behalf of that individual providing they provide proof of identity
    and the original Power of Attorney document.
    6.2 You can request the information we hold about you and the purposes that we are
    using it for. You can ask us to stop or restrict our processing of your information,
    require us to correct information we hold about you that is wrong or to erase all the
    information we hold about you. If you want us to do any of these, then please
    email us at grants@stolavesfoundation.co.uk.
    6.3 If we consider a request to be unfounded or excessive, we may refuse to act or
    charge a reasonable fee to take into account the cost of processing the request. If
    we refuse a request, we will tell you why and that you have the right to complain to
    the ICO.
  7. Other information
  1. 7.1.The Data Controller for the Foundation is the Chief Executive who can be
  2. contacted at grants@stolavesfoundation.co.uk or by mail at our offices or by
  3. another means of communication agreed with staff or the Chief Executive.
  4. 7.2.If you are dissatisfied with the way we have processed your personal data, you
  5. should raise your concerns with us as soon as possible. If you are dissatisfied with
  6. the way we have handled your concern, you may ask the Information
  7. Commissioner to look into the matter. Details of how to do this can be found at
  8. www.ico.org.uk/concerns.