THE OCEAN TRUST PRIVACY NOTICE
Who we are
The Ocean Trust’s mission is to rebuild and restore dying reefs up and down the coast of East Africa starting in the Lamu Archipelago, Kenya. It is made up of two legal entities within the UK and Kenya. The Ocean Trust is registered as data controller with the UK Information Commissioner's Office (ZB504946) but is currently exempt from registration with the Kenyan Office of the Data Protection Commissioner.
Scope of this Privacy Notice
The Ocean Trust is committed to safeguarding the privacy of our donors, suppliers, website visitors and staff. This privacy notice sets out the way in which the personal data you provide to us (and the data collected by us) is handled, stored and processed.
This privacy notice covers processing carried out by both The Ocean Trust entities within the UK and Kenya, referred to as the The Ocean Trust throughout this privacy notice. This Privacy Notice ensures that individuals whose data may be processed by the The Ocean Trust are fully aware of how their data is used, their rights in relation to this data and helps demonstrate how this data will be used in compliance with UK and Kenyan Data Protection laws.
How we obtain your information
Your information may come to us from a number of different sources. You may provide it directly to us when registering or signing up online or in person e.g. to a donation box or to subscribe to a newsletter. Additionally we may receive your information through our partner fundraiser organisations who may share information on their networks with us (as described in their own privacy notices and with your consent where required).
Other examples of where The Ocean Trust may obtain your personal data from, includes collecting information via cookies on our website (see our Cookies Policy) or accessing your publicly available contact details online e.g. to contact you about the work of the charity.
Where personal data is provided to us by a third party, we will make sure that these third parties have provided you with appropriate privacy information on the sharing of this data with The Ocean Trust and have a clear lawful reason for sharing this data. Where this is found not to be the case, we will make every effort to make sure you are made aware that we are processing your information within a month. Where contacting you directly in relation to this is difficult to achieve, then we will ensure that our privacy notices clearly detail where this is happening.
Before you disclose to us the personal information of another person, you must obtain that person’s consent to both the disclosure and the processing of that personal information in accordance with this notice.
More information on our current uses of data from different sources are detailed below.
How we use your information
This section describes how we use your information. Each purpose is described below with detail relating to:
- Why we collect this information [Purpose]
- What we collect – what personal and potentially more sensitive data we collect for this purpose [Information]
- The source of this data – was this provided by you or obtained from another source [Source]
- Our legal justification for using this data – what lawful basis The Ocean Trust has under UK and Kenyan Data Protection law for using your data in this way [Legal Basis]
Managing Donations
Purpose To allow the The Ocean Trust to generate income to support their fundraising activities, to create a portfolio of donors, understand donor demographics (including developing profiles based on individual characteristics) and process your donations and gift aid contributions. This function is delivered by The Ocean Trust UK.
Information Name, email address, telephone number, billing address and bank details (if making a donation via online payment methods) relating to individuals or organisations that may be donating to The Ocean Trust.
Source Provided by individual donor directly to The Ocean Trust or to The Ocean Trust via fundraising consultants.
Legal Basis As part of the legitimate interests of the The Ocean Trust to generate income to support their causes whilst at the same time considering the rights and interests of individuals.
Supplier Management
Purpose To manage the relationship with new and existing suppliers, ensuring appropriate financial management of ongoing contracts with suppliers including sending statements, invoices and payment reminders and collecting payments.
Information Supplier’s name, email, contact numbers, address, and financial and contractual documentation such as contract terms and conditions, purchase orders, invoices etc.
Source Provided by the supplier organisation or generated by the The Ocean Trust as part of initial dealings with new suppliers.
Legal Basis In order to enter into a contract with a supplier or to manage the ongoing performance of that contract with that supplier.
Staff Management
Purpose To manage recruitment and appropriate management of staff employment contracts including to pay staff, administer relevant benefits, pensions and insurance entitlements, meet legal obligations under relevant employment related laws, keeping employment records, manage sickness/absence and appropriate performance and disciplinary/grievance processes, provide references and support occupational health requirements.
Information Staff name, email, contact numbers, address, date of birth, gender, age, work experience, performance related data, occupational health data, criminal checks as appropriate to role, bank information, next of kin details.
Source Provided by the member of staff directly or via recruitment agencies where recruited in this way.
Legal Basis In order to manage the ongoing employment contract with the staff member, to meet legal obligations in relation to employment law and health and safety and as part of the legitimate interests of The Ocean Trust in recruiting relevant staff to their organisation. With the explicit consent of the individual where more sensitive data is collected.
Communications and providing information on the work of the The Ocean Trust
Purpose To send you email notifications you have specifically requested in relation to the work of the The Ocean Trust and communications such as newsletters and bulletins. To send you marketing communications relating to our organisation which we think may be of interest to you, by post or, where you have specifically agreed to this, by email or similar technology (you can inform us at any time if you no longer require marketing communications).
Information Email address, job title, organisation name, consent status for receiving marketing materials.
Source Provided by you as part of dealing with The Ocean Trust or attending The Ocean Trust events or fundraisers.
Legal Basis Depending on relevant law and specific use of this data, this will be as part of the legitimate interests of the The Ocean Trust carried out in a way that balances the rights and interests of individuals against the legitimate interests of The Ocean Trust or based on explicit consent provided by you for this information to be sent to you.
Dealing with your enquiry or a complaint
Purpose To allow The Ocean Trust to effectively deal with any enquiry or complaint you or others may have.
Information Name, contact email and telephone number and nature of the enquiry or complaint. Personal data of complainants and respondents.
Source Provided by you and others via our website, telephone or in writing. Potentially provided by another organisation that we have contacted about a complaint you have made and who gives us your personal information in its response or a complainant may refer to you in their complaint correspondence.
Legal Basis As part of the legitimate interests of The Ocean Trust. This will only be carried out in a way that balances the rights and interests of individuals against the legitimate interests of The Ocean Trust.
Managing Events and Training
Purpose To allow The Ocean Trust to effectively run events and fundraisers and manage training. To communicate with event and training attendees and with business contacts who have asked to be kept in touch with, for events and training.
Information Name, job title, contact email and telephone number, postcode and nature of the event you are attending. Potentially some more sensitive information on health requirements should they be required e.g. for ensuring appropriate accessibility to events and dealing with dietary requirements. Photographic images taken at event.
Source Provided by you via our website, via an event booking site, telephone or in writing.
Legal Basis As part of the legitimate interests of The Ocean Trust in running events that may be of interest to you, with your explicit consent where any more sensitive data may need to be collected or for use of photographs including your image.
Dealing with rights of data subject requests
Purpose To allow The Ocean Trust to respond to requests under the relevant Data Protection law for individuals to exercise their rights e.g. to access their own data, request erasure of data, object to processing etc.
Information Name, contact email and telephone number, nature of data subject request and proof of ID where required to verify your identity.
Source Provided by you via our website, social media channels, via email, telephone or in writing.
Legal Basis The Ocean Trust are legally obliged under UK and Kenyan Data Protection laws to respond to data subject requests.
Managing data breaches
Purpose To be able to assess any impact on individuals of a data breach involving personal data held on The Ocean Trust systems or on third party systems.
Information Any information relating to an individual that may have been breached.
Source From any organisation or individual that may have reported this data breach to The Ocean Trust.
Legal Basis The Ocean Trust are legally required under UK and Kenyan Data Protection laws to respond to data breaches appropriately.
Legal Matters
Purpose To deal with legal claims and ongoing litigation cases.
Information Names of individual involved in relevant legal matter and any relevant information in relation to that individual that may be relevant to the case.
Source Providing by you as part of any ongoing legal matter.
Legal Basis Necessary for compliance with a legal obligation and for the establishment, exercise or defence of legal claims.
Improving the use of our website and IT systems
Purpose To ensure appropriate system administration and troubleshooting of website issues, to track the pages you have visited in order to improve the quality of the site and to personalise the website experience. To keep track of and solve issues users are experiencing with our technology systems, personalising our website for you, enabling your use of the services available on our website, keeping our website secure and preventing fraud.
Information User’s IP Address or the location of your computer or network on the Internet and any individual’s data needed to deal with an internal system issue (where the issue is linked to that individual’s data).
Source Automatically collected as part of using our website and via cookies on the website [See separate Cookies notice and identified by The Ocean Trust in managing specific IT issues.
Legal Basis Explicit consent is sought for use of cookies when you access our website. Methods of turning off cookies can be found in our Cookies Policy. Ensuring our systems are working effectively and user issues can be resolved is part of our legitimate interests in running the organisation effectively.
Sensitive Data
There are certain types of information that are defined as more sensitive under UK and/or Kenyan law. The Ocean Trust only process this kind of more sensitive data in limited situations and where strictly necessary including information on health status of staff, criminal checks as part of vetting new staff, dietary or accessibility requirements for hosted events and family details in relation to next of kin information (sensitive under Kenyan Data Protection law). The lawful justification for processing these types of data are included in the sections above.
Does The Ocean Trust have to use my personal data?
The Ocean Trust are committed to only collecting the minimum personal data required in order to achieve the purposes highlighted above. It will continually review its data collection practices to ensure this continues to be the case and to ensure that data is deleted when no longer required for the specified purposes.
Profiling
UK and Kenyan Data Protection law includes certain provisions around how personal data can be used for:
- Profiling – where personal data is processed to evaluate certain things about an individual
- Automated individual decision making – where a decision is made based on your personal data solely by automated means
This include ensuring that individuals are made aware of this profiling, how decisions are made based on this and the consequences of these decisions.
The Ocean Trust may use your information to develop profiles for marketing and fundraising purposes, to allow us to target our fundraising activities appropriately and to provide you information that may be of relevance to you. It does not carry out any automated individual decision making.
If you would like further information on how your personal data is used for profiling purposes please get in touch.
When we might disclose your data
We may disclose your personal information to any of our employees, officers, insurers, professional advisers, agents, suppliers or subcontractors insofar as is reasonably necessary for the purposes set out in this notice.
We may share your data with third parties to perform services on your behalf. Types of third parties who may have access to your personal data include:
- Third Party IT System Suppliers who may host your data on their systems and may need some level of access to resolve technical concerns
- Printers and digital advertising suppliers to print off and send out marketing materials
- Solicitors, counsel and claimants in relation to legal matters
- Accountants and advisors in relation to finance matters
- Finance team at Grosvenor to support financial aspects of UK donations
- Insurers
- Payroll providers
- Payment providers including PayPal and Apple Pay
- Fundraising consultants
- Partner organisations with whom The Ocean Trust work closely with your consent
We may disclose your personal information:
- to the extent that we are required to do by law
- in connection with any ongoing or prospective legal proceedings
- in order to establish, exercise or defend our legal rights (including providing information to others for the purpose of fraud prevention and reducing credit risk)
- to any person who we reasonably believe may apply to a court or other competent authority for disclosure of that personal information where, in our reasonable opinion, such or authority would be reasonably likely to order disclosure of that personal information
We will never sell or share your personal information with other organisations for their direct marketing purposes without your explicit consent. Except as provided in this policy, we will not provide your personal information to other third parties.
International Transfers
Occasionally, in order to meet the purposes defined in this notice, we may need to transfer personal information you submit to us to countries or jurisdictions outside of that in which you currently reside or are based. This may include sharing between our two entities within the UK and Kenya, to share information on UK residents with third parties outside the UK, or on Kenyan residents with third parties outside Kenya e.g. to the US in managing donations.
Specific safeguards exist to govern this sharing, including ensuring that appropriate safeguards with respect to the security and protection of the personal data are in place, consent is obtained where required and relevant contracts to govern these international data transfers are implemented as required.
In each case, we ensure that our suppliers provide adequate protection for the confidentiality and security of this information and the rights of individuals in connection to the transfer of their personal data.
Security of your Data
The Ocean Trust are committed to processing and retaining data within established technological and physical controls in a transparent manner, as well as promoting and safeguarding the information rights of data subjects.
The Ocean Trust has established procedures to ensure that technological and physical controls are in place that guarantee the privacy of data subjects, the security of data held on technological systems and that all data held by The Ocean Trust is processed according to an established lawful processing condition. Any such procedures will be reviewed as necessary and updated to ensure their effectiveness in line with advances in technology. We will store all the personal information you provide on our secure servers.
Our website has security measures in place to protect against the loss, misuse or alteration of the information under our control. Whilst we have done everything we can to ensure security of data sent using our systems, any transmission of data is done so at your risk.
How long we keep your data for
This section sets out our data retention policies and procedure, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal information.
Personal data that we process for any purpose will not be kept for longer than is necessary for that purpose. Different purposes will have different retention periods and some examples of retention periods applied are detailed for some of the main types of data below:
· Supplier information – 6 years for invoices, 3 years for other financial information when we have stopped using the supplier and permanently for supplier contact and VAT details
· Employees data - 6 years after they have left employment
· Donations information
o Professional contacts reviewed annually and deleted if no longer required
o Marketing contacts for as long as you agree to receive these
o Donor details – two years after fundraising campaign, or immediately if you decide not to donate
o Potentially indefinitely as part of historical records e.g. for major donors
Notwithstanding the other provisions of this section, we will retain your personal data:
- To the extent that we are required to do so by law
- If we believe that the information may be relevant to any ongoing or prospective legal proceedings
- In order to establish, exercise or defend our legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk)
- To support the ongoing business purposes of The Ocean Trust as specified above (with due consideration for the rights and freedoms of individuals privacy)
If you would like further details of how your personal data is retained by The Ocean Trust, please contact us directly.
Your rights
You have a number of rights under Data Protection law including:
- The right to be informed about the collection and use of your personal data e.g. via this privacy notice
- The right to access your personal data
- The right to have any inaccurate personal data rectified, or completed if it is incomplete
- The right to have your personal data erased in certain circumstances
- The right to request the restriction or suppression of your personal data in certain circumstances
- The right to data portability - to obtain and reuse your personal data for your own purposes across different services
- The right to object to our use of your information in certain circumstances e.g. for marketing or profiling purposes
If you would like to access your own personal information or exercise any of the rights detailed above, please contact us by emailing admin@theoceantrust.org.
In the majority of cases, we will respond to your request within one month of receiving the necessary information required to deal with your request. We may ask you to supply appropriate evidence of your identity and any additional information to help us to deal with your request effectively.
There may be some exemptions to dealing with your rights as specified in Data Protection law, but we will ensure you are fully informed of this within a month of receiving your request.
Can I object to your use of my information?
You can object to our use of your information in certain circumstances e.g. such as for profiling and for marketing purposes in the UK and to processing generally in Kenya, unless The Ocean Trust can demonstrate compelling legitimate interests for the use of this data or are using it in relation to legal claims.
You can unsubscribe to receiving marketing materials from The Ocean Trust at any time and we will ensure that you are given the opportunity to opt out of receiving this type of information whenever we contact you in this way.
If you would like to object to the use of your data please contact the Data Protection Lead (see below).
How do I raise a concern if my rights are not met?
If you are unhappy about the use of your personal data, then please contact us directly and we will try to resolve your concern. If you have a concern that cannot be resolved through discussion with us, these can also be raised with the Information Commissioner’s Office in the UK or the Kenyan Office of the Data Protection Commissioner. More information can be found from the following links:
File a complaint – OFFICE OF THE DATA PROTECTION COMMISSIONER KENYA (odpc.go.ke)
Different versions of this privacy notice
The information provided within this privacy notice can be made available in different formats including in printed form, different languages, child friendly notices and approaches that meets the need of the visually and hearing impaired.
Should you require this information in a different format, please contact the Data Protection Lead.
Changes to our privacy notice
This privacy notice will be reviewed annually or sooner, should any new types of processing be identified or changes to current data protection legislation may mean changes are required. Any changes we may make to our privacy notice in the future will be posted on this page.
Contact Us
If you have any questions about our privacy notice, our use of personal data or if you wish to exercise your rights in respect of your personal information, please contact our Data Protection lead by emailing admin@theoceantrust.org.