Personal information charter
Our personal information charter explains how we process personal data.
We process personal data in order to carry out our function as the independent regulator of Charities for England and Wales.
Our objectives, functions and powers are set out in the Charities Acts 1992, 2006, and 2011. References to ‘the Charities Acts’ in this document mean those acts.
Find out more about the Charity Commission for England and Wales.
Privacy notice
This privacy notice explains how we process your personal data. It also sets out some of your rights and entitlements in respect of that personal data. It is written to be as easy to read as possible and does not provide exhaustive detail of every aspect of how we collect or use your personal data.
It is important to understand that in certain circumstances, and only where it is necessary to do so, the Commission has the power to collect, process and further disclose personal information without your knowledge and consent. You can find out more about the personal data we process in this privacy notice.
This notice does not address processing for Human Resource (‘HR’) purposes. If you’re applying for a job or contract with us, if you work for us, or if someone you know works for the Charity Commission, you may wish to read our privacy notice for employees, workers and contractors.
There is a separate privacy policy for the GOV.UK website We have also published detailed privacy notices for some of the things we do:
- automatic disqualification waiver applications
- change charity financial period
- charity annual return digital service
- charity trustee dispensation requests
- Freedom of Information/Environmental Information Regulations requests
- ‘My Charity Commission Account’ privacy notice
- outreach events privacy notice
- practitioner and interim manager appointment
- prospective employees, workers and contractors
- recording of investigative meetings privacy notice
- registering a charity digital service
- report a serious incident in your charity privacy notice
- update charity details digital service
- whistleblowing privacy notice
If you need further information about the use of your personal data or to exercise your statutory rights please email DPIR@charitycommission.gov.uk.
The personal data we process
We have set out below some of the types of information we collect and where we collect it from. We’ve also explained below whether you have to provide certain information to us.
The personal data we collect and process will vary depending upon the type of interaction we have with you, but it can include particularly sensitive personal data such as information about religion, sex, ethnicity, health and criminal convictions. Data such as this is known in legal terms as ‘special categories of personal data’. References in this document to particularly sensitive personal data include references to special categories of personal data and criminal conviction data.
We may not always be able to provide you with full details of the sources and types of information we collect and the list set out below might not be complete. This is because disclosure might allow individuals and organisations to avoid complying with their legal requirements and to evade detection by learning our techniques and sources. But, if you require further information about the data we hold about you then can email us at DPIR@charitycommission.gov.uk.
We collect and process a variety of different types of personal data including:
- identity details: such as your name, alias, title, date of birth and gender
- contact details: including your home and professional addresses, email addresses, and telephone numbers
- details of organisations you’re involved with: this might include information about your employer, professional organisation, your connection to a potentially charitable organisation or an organisation seeking registration as a charity, or where you spend your free time. It might also reveal or include particularly sensitive personal data such as your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, or information about your health or genetics
- financial, employment, salary, travel and taxation information: including bank or credit card statements, records from HMRC, records of expenditure, HR or employment records
- criminal conviction data and information relating to alleged unlawful conduct: this might include your criminal record, or intelligence from regulators or law enforcement agencies
- technical data: IP addresses are collected in furtherance of our regulatory objective to ensure that charity registration is proper, and is not being used in a way which would enable fraudulent abuse or misconduct
Where do we get information from?
We collect personal data from a variety of sources including:
Directly from you
We collect data directly from you, for example when you fill out an online form, complete a paper return or correspond with us verbally or through email, post, phone or similar media. We record all calls to our contact centre. To find out more, see the section What happens when you call us?
When you use our online services we collect technical data from users which we use to improve how our digital services function. This is explained in more detail in the section on technical data above and the section on cookies below.
From organisations you’re involved with
We will collect personal data from organisations you are involved with, for example when an annual return is filed or a serious incident is reported. This may include all of the categories of personal data section above, some of which may not be publicly available.
From members of the public or third party organisations
We receive personal data from members of the public or third party organisations. For example by way of an unsolicited report, disclosure or complaint, or where we request, direct or use our regulatory powers to require that certain information is provided to us.
This information may be obtained electronically, on paper or through verbal contact with a charity, or organisations with which a charity is involved. This personal data may include both financial and non financial information about you and may include sensitive personal data including all of the categories of personal data referred to above, some of which may not be publicly available. We also may generate personal data by associating findings from our regulatory work with data we already hold about you.
We also receive a limited amount of personal data from third party organisations in order to assist us in keeping up to date, develop policy and forecast future trends. This includes press cutting services and other services which provide reports and analysis.
Sometimes, a close family member may have given us your details if they work for the Charity Commission and consider that your circumstances may present a conflict of interest (such as employment at, or Trusteeship of, a Charity).
From other government departments, regulators, law enforcement agencies and similar organisations
We share and receive information from these types of organisation because it helps us to fulfil our functions. For some organisations, including the Insolvency Service and Companies House, we regularly and routinely collect large amounts of data so that we can data match against the data we hold. The information we receive and data match includes identity details, contact details, information about insolvency, criminal conviction data and details of alleged wrongful conduct.
We also share and receive information in response to specific requests or disclosures. This may include all of the categories of personal data referred to above, some of which may not be publicly available. We have Memoranda of Understanding or contracts with some organisations where the sharing of data occurs on a regular basis.
From publicly available sources
We collect personal data from publicly available sources such as websites, statutory registers and public records. This may include all of the categories of personal data referred to above, some of which may not be publicly available.
When you need to provide information and what happens if you do not
The information you need to provide depends on the nature of your interaction with us.
If you are a trustee or hold a senior management role in a registered charity or a registerable organisation, you may be required to provide us with certain information pursuant to the Charities Acts. Failure to comply may be a criminal offence. Find out more about registration and reporting requirements.
If you want us to take a particular step or action in respect of a charity (for example waiving automatic disqualification as a trustee, or approving a payment), you may need provide certain information to us so we can decide whether to take the step or give or withhold our consent. If you don’t provide the information we require, we may not be able to assist you.
We may specifically direct or order you to provide us with certain information using our powers in the Charities Acts. If we exercise those powers you are required to comply and failure to provide the information may be a criminal offence. We will tell you when we are exercising our powers under the Charities Acts when we make the request. You can find further information about some of our information gathering powers at Sections 47 & 52 of the Charities Act 2011.
If you want us to provide you with information, for example pursuant to the Freedom of Information Act 2000 (‘FOIA’) or under our statutory powers, we may need you to provide us with contact details so that we can seek clarification or provide you with the information requested. If you don’t, we may not be able to provide you with the information you need.
If you respond to a consultation or participate in working parties, committees or similar activities convened by us you will be asked to provide personal data (such as contact or identity details) as part of your participation. This is to help us develop high quality policies and guidance and to better understand and work with the sector. If you do not provide this personal data we may not be able to take your contribution into account or give it the same weight as if you had provided personal data to us.
If you are seeking employment with us, or if you want to enter into a different type of contract with us, it may be necessary for you to provide us with certain information in order to enter into that contract. If you don’t then we may not be able to contract with you or offer you employment.
Why we process personal data
We process personal data to fulfil our statutory functions. Our processing can be divided into three broad categories:
Processing that supports our statutory objectives, functions and duties
We process personal data in order to carry out our function as the independent regulator of Charities for England and Wales. Our objectives, functions and duties are set out in the Charities Acts.
This includes things like:
- increasing public trust and confidence in charities
- promoting awareness and understanding of the operation of the public benefit requirement
- promoting compliance by charity trustees with their legal obligations in exercising control and management of the administration of their charities
- promoting the effective use of charitable resources
- enhancing the accountability of charities to donors, beneficiaries and the general public
- determining whether institutions are or are not charities
- identifying and investigating apparent misconduct or mismanagement in the administration of charities and taking remedial or protective action in connection with misconduct or mismanagement in the administration of charities
- giving information or advice, or making proposals, to any Minister of the Crown on matters relating to any of the Commission’s functions or meeting any of its objectives
Our functions, objectives and duties necessarily include:
- conducting research; such as thematic reports into accounts, or into public trust and confidence in the charity sector
- developing guidance to assist charities and trustees better comply with their duties under charity law
- operating an International Programme to assist charities operating internationally, including in high-risk areas. We organise workshops and events to facilitate the programme, which aims to educate, inform and provide guidance for charities who operate overseas
Find out more about our objectives, functions and powers.
Processing in our wider capacity as a government department and a public authority and in order to comply with the obligations which arise in that capacity
We process personal data in order to fulfil our wider role as a government department and as a public authority. This includes things like: sharing information with other public authorities pursuant to the Charities Acts, complying with the Public Records Act, complying with the principles of open justice and open government, and responding to requests under the FOIA.
Processing in our capacity as a large organisation and employer
We also process personal data in order to ensure that we have the resources and staff we need to carry out our work.
This includes things like processing financial information about our staff and suppliers; supporting staff members who have health problems, accidents or injuries; the recruitment and selection of staff; and providing references and pension information about staff who were previously employed by us.
Why we collect personal data
We generally only collect personal data where it is necessary to directly support or facilitate our statutory objectives and functions, or in our capacity as a large organisation and employer.
We don’t often collect personal data solely for the purpose of fulfilling our wider role as a government department or public authority, although we may do so where we need certain information in order to comply with a request or legal obligation. For example, we may need your contact details in order to provide you with information requested pursuant to the FOIA, or in order to provide statistical returns to central government.
How we process data after collection
We may further process information we collect for a different purpose, so long as that purpose is compatible with the purpose for which the information was collected, or where we are otherwise permitted or required to do so by law. Where necessary and permitted by law, we carry out this processing without your knowledge or consent, such as the generation of internal analytical reports to support our regulatory work. This means that information provided for one of the three broad reasons set out above may be used for any of the other reasons, even if the relevant charity is no longer registered or you are no longer involved with it.
Some common examples of this are:
- in the course of an investigation into apparent misconduct or mismanagement or in response to a request for information from a member of the public we may use information received in respect of an application for charity registration, decisions we make on the eligibility/suitability of an individual to act in the administration of a charity, or for approval for a specific step; or information provided to us pursuant to a legal obligation (for example accounts or reports of serious incidents)
- we may share your personal data (including particularly sensitive types of personal data):
- with other government departments, public authorities, regulators and judicial and quasi-bodies and for special categories of personal data only where it is necessary in the substantial public interest to do so; or
- where we are obliged to do so by law, for example in response to a FOIA or Environmental Information Regulations (EIR) request or a request made under the Charities Act, for example, to see the governing document or accounts for a charity
Legal basis for processing
We process personal data in a variety of different ways. The table below sets out the legal bases we rely on for processing.
We may process your personal data on more than one basis depending on the purpose for which we are using your data. Please email us at DPIR@charitycommission.gov.uk if you need details about the specific legal basis we are relying on to process your personal data.
It is rare that we rely on your consent to process your data. However, where we do, you have the right to withdraw your consent at any time. You can find out more information about exercising your rights further on in this privacy notice.
When we process special category data we do this in accordance with our policy, which defines when and how we may process this data in the substantial public interest.
Who we share your personal data with
We may share your personal data (including particularly sensitive types of personal data):
- to the public on our website
We routinely publish (and make available for re-use) certain personal data on our website. This includes trustees’ names, the name and email address of the designated charity contact, auditor or independent examiner, and information contained in charities’ annual accounts. We also publish reports at the conclusion of investigations and inquiries and a register of removed and disqualified trustees.
There may be occasions when we publish sensitive types of data, such as criminal convictions, as part of inquiry reports, or press statements. We have an internal process to periodically check if a conviction has been spent and, in these instances, will ensure that they are removed from publication.
We publish information about our staff and expenditure in order to comply with the central government corporate transparency commitments. This includes information about our workforce, suppliers and expenditure. In some cases details of individual transactions or contracts may be published in full. You can read more about our transparency commitments on GOV.UK. We also routinely publish responses we receive to consultations.
- where it is necessary to share the information in order to further our statutory objectives or functions
We may need to share personal data with third parties in order to further our statutory objectives or functions. For example, in the course of an investigation into alleged financial misconduct, we might provide your personal data to a bank so that we could establish whether they held relevant information. If we receive a report of misconduct, we may need to share information with a registered organisation you’re involved with. Where appropriate we may also share larger datasets and carry out data matching with other organisations.
- with other government departments, public authorities and regulators
The Charities Acts and in particular sections 54-59 of the Charities Act 2011 permits us to disclose information held by us to any relevant public authority if the disclosure is made for the purpose of enabling or assisting the relevant public authority to discharge any of its functions, or if the information so disclosed is otherwise relevant to the discharge of any of the functions of the relevant public authority. We have agreed a ‘Memorandum of Understanding’ or legal agreement with some organisations to facilitate compliant data-sharing where it is undertaken on a routine basis.
As a consequence, where it is necessary and proportionate to do so, we may share particularly sensitive types of personal data pursuant to the powers granted to us in the Charities Acts.
We may also share information with other government departments, public authorities and regulators in our capacity as a large organisation and employer. For example we may share taxation information with HMRC or information about conduct with a professional body.
In response to requests for information, for example pursuant to the FOIA, the Environmental Information Regulations (EIR), Re-use of Public Sector Information Regulations (RoPSI), or our common law powers of disclosure. We are required in certain circumstances to disclose certain information in response to requests made by members of the public. This includes documents which are filed with the Commission such as governing documents, accounts or minutes of meetings.
Once we disclose information in this way it is treated as being disclosed to the ‘world at large’. This means the recipient may publish it further, for example in a newspaper or blog.
- with third party processors and service providers
We use third parties and service providers to process some personal data on our behalf.
These include:
- IT providers acting as processors
- mail services providers (Notify and SendGrid)
- professional advisers acting as processors and as joint controllers including lawyers, auditors and insurers based in the United Kingdom who provide consultancy, legal, insurance and accounting services We require all third parties to respect the security of your personal data and to treat it in accordance with the law
We do not allow these third parties to use personal data for their own purposes and we only permit third party processors to process personal data for specified purposes and in accordance with our instructions.
- to a court, tribunal, party or prospective party where the disclosure is necessary in order to exercise, establish or defend a legal claim
- where we are ordered to by a court or tribunal or where we are otherwise required to do by law
International transfers of personal data
We do not routinely transfer information overseas. We would only transfer information outside of the UK where such a transfer was necessary for important reasons of public interest or otherwise necessary for the establishment, exercise or defence of legal claims.
Where there is no adequacy decision from the UK in respect of a country we intend to transfer data to we will put in place appropriate measures to ensure that your personal information is treated by those third countries in a way that is consistent with, and which respects, UK laws on data protection. If you require further information you can request it from the DPO (see below).
How long we retain personal data for
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
It is important to note that in certain circumstances we retain personal data received in connection with a particular charity even after a person’s involvement with a charity has ended and after the charity is no longer registered.
Our Data Protection Officer
Our Data Protection Officer (DPO) is a permanent employee of the Charity Commission.
The DPO is responsible for monitoring our compliance with data protection legislation, and is the point of contact for concerns you may have over how we are processing personal data, and any incidents you want to report to us.
The Charity Commission DPO contact details are:
Email: DPO@charitycommission.gov.uk
Or you can write to:
PO Box 211
Bootle
L20 7YX
The UK supervisory authority for data protection is the Information Commissioner’s Office (‘the ICO’). We are registered with the ICO under registration number [Z5640596].
You have the right to make a complaint about the processing of your personal data at any time to the Information Commissioner’s Office (ICO), and more information can be found on the ICO website.
Your legal rights as a data subject
Under certain circumstances, you have rights under data protection laws in relation to your personal data. You should be aware that these rights are subject to the restrictions set out Part 2 of Schedule 2 to the Data Protection Act 2018.
In particular they do not apply to personal data processed for the purposes of discharging functions conferred on the Charity Commission by or under the Charities Act 1992, 2006 or 2011 where exercising those rights would prejudice the proper discharge of those functions.
You will not have to pay a fee to access your personal data (or to exercise any of your other rights). But, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. We may also refuse to comply with your request in full or in part where disclosure would prejudice a Police inquiry or would be contrary to law, for example, it would be in breach of the Proceeds of Crime Act or money laundering regulations.
The right of access to your personal data
You have the right to receive confirmation as to whether or not personal data about you are being processed, and, where that is the case, access to that personal data and certain information, including:
- the purposes of the processing
- the categories of personal data concerned
- the recipients or categories of recipients to whom the personal data have been, or will be disclosed, in particular recipients in third countries or international organisations
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
- where the personal data were not collected from you any available information as to their source
- the existence of automated decision-making, including profiling; and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject
Please note that this right is subject to certain exemptions and it may not be available in all cases.
If you wish to submit a Subject Access Request to the Commission, please email SARS@charitycommission.gov.uk.
Please provide as much detail as possible to enable the Commission to easily locate and retrieve your personal data.
The right to rectify your personal data
You have the right to rectification of inaccurate personal data concerning you without undue delay. This includes the right to have incomplete personal data completed.
The right to erasure of your personal data
You may have the right to require us to erase your personal data without undue delay if:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
- you withdraw your consent (if given) and there is no other legal ground for the processing
- you object to further processing and there are no overriding legitimate grounds for the processing
- the personal data have been unlawfully processed
- the personal data have to be erased for compliance with a legal obligation to which we are subject
The right to object to processing of your personal data
You have the right to object to the processing of your data and if you do, we may be prevented from further processing your personal data unless certain conditions are met.
The right to restrict processing of your personal data
In certain circumstances you may have the right to restrict further processing of your personal data and if you do, we may only further process your personal data for storage, with your consent, for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
The right to data portability
Where you have provided information to us and where that information is processed by automated means pursuant to a contract, you may have the right to have that information provided to you in a machine-readable format. This so you are able to re-use your personal data across different services.
Exercising your rights
If you wish to exercise any of the rights set out in this privacy notice, please contact the Data Protection and Information Rights team by emailing DPIR@charitycommission.gov.uk.
We will need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We will usually ask you to provide one form of proof of identity and one form of proof of address. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within 28 days. Occasionally it may take us longer if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
We may not always be able to release all of the information you have asked for. This might be because certain information is exempt from release to the public.
In some circumstances we may be able to review the outcome of your request within 28 days of it being issued. Please email DPIR@charitycommission.gov.uk if you think our decision making about what information we release is incorrect.
It helps us if you tell us why you think our decision is wrong and exactly what additional information you would like us to release.
Cookies
Google Analytics:
We use Google Analytics software on Charity Commission platforms to collect information about how users are accessing our website. This information relates to the following:
- the pages you visit
- how long you spend on each page
- how you got to the site
- what you click on while you’re visiting the site
- what links you open in emails from us
This information is generated by the cookie about your use of the website and will be transmitted to and stored by Google on servers in the United States. Such information will include details of your browser (for example Chrome or Safari) and your geolocation (to the nearest country/city). The data we collect on user behaviour is used by us to improve our services. For example, so that they are intuitive, accessible and fulfil their function. We retain the data for up to 38 months for this purpose. This period runs from the last point at which the webpage was accessed. No data from cookies which could identify you, such as IP addresses, are collected by Google Analytics.
You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of the website. For example, a webpage may not be able to remember your preferences from a previous visit. Refusing cookies will not affect your ability to use our services however. A full list of our services which use cookies are listed below:
Electronic contact forms
- enquiry form
- amend governing document
- close a charity (dissolution)
- change name
- raise concern
- apply to make a moral payment
- appoint a member of staff as a trustee
- decision review
- dispose of charity land to a connected person
- employ a trustee
- employ a person or organisation who is connected to a trustee
- employ someone who is connected to a trustee
- employ someone who is or was a trustee
- linking charities
- notification of a charity merger
- pay less than £1000 to a trustee
- pay a trustee for providing a service
- pay a trustee for serving as a trustee
- pay a trustee compensation to replace or part replace lost income
- spend permanent endowment
- transfer assets to another charity
- using charity or charitable in non-charitable company name
- vest charity land in the Official custodian
- waviers form
- CIO form
Digital services
- administration clause
- dissolution clause change
- main charity name change
- object clause change
- trustee benefits clause change
- change and upload governing document
- working name change
- register a charity
- financial reporting (SORPs)
- annual returns
The cookies Google Analytics use are:
Google Analytics
Name | Purpose | Expires |
---|---|---|
_utma | This lets us know if you’ve visited before, so we can count how many of our visitors are new to our services | 38 months |
_utmb | This works with _utmc to calculate the average length of time you spend on our pages | 30 minutes |
_utmc | This works with _utmb to calculate when you close your browser | When you close your browser |
_utmz | This tells us how you reached our services (for example from another website or a search engine) | 6 months |
Cookies collected by Government Digital Services
The GOV.UK website, which is run by Government Digital Services (GDS), hosts all Charity Commission content and guidance and also uses Google Analytics software. You can find further information on the data collected by GDS in their cookies policy.
Find out more about privacy information from Google Analytics.
Find out more from the Information Commissioner’s Office about how to manage cookies.
What happens when you call us?
When you call our Contact Centre (0300 066 9197), we will collect and keep transaction information, which includes: your telephone number (if not withheld), date and time of call, which advisor you spoke to, and duration of call. We use this information to understand the demand for our services and to improve how we operate. We may also use the number to call you back if you have asked us to do so, if your call drops, or if there is a problem with the line. We can also use it to check how many calls we have received from it. This data is held for 2 years before being deleted.
We audio record our calls (including customer telephone surveys) and store this information securely for 30 days. We retain a small number of calls for longer than 30 days but for no more than 1 year, so we can monitor and improve the quality of our service, and also to help us investigate any complaints that may arise about the service. Other Charity Commission staff may listen in during your call for training or quality assurance purposes.
All of our data is stored securely in UK-based data centres and is only available to relevant staff such as system administrators within the Commission and our supplier, Opus, who provide support services for the software.