Guidance

Update charity details privacy notice

Published 8 November 2018

This privacy notice explains how we, the Charity Commission, process personal data submitted through the ‘Update Charity Details’ (UCD) service (‘the service’).

This notice is supplemented by our main privacy notice, our Personal information Charter, which provides further information on how we process personal data, and sets out your rights in respect of that personal data.

You should also ensure you are familiar with the ‘My Charity Commission Account’ (MCCA) privacy notice because you can only access the UCD service using your Charity Commission Account.

It is drafted to be as easy to read as possible and does not provide exhaustive detail of every aspect of how we collect or use personal data. If you need further information please contact our Data Protection Officer.

What personal data does the Commission collect through the service?

The service enables charities to update their register particulars. The following register particulars may contain personal data, including special categories of personal data:

Information about Categories of personal data Automatically published on website?
Charity Public address Address, telephone number and email address
This can be the address of an individual or an office or PO Box address
Yes
The charity Name and activity description Yes
Charity trustees Title, legal name, suffix and role Yes
Charity trustees Date of birth, date of appointment, address and post code, telephone number, email address (or confirmation that the person does not have an email address), date of resignation
Trustee details may indicate special category personal data such as religious belief depending on the charity and its governance
No
Charity contact details Title, name, suffix, date of birth, role, date of appointment, address and post code, telephone number, email address (or confirmation that the person does not have an email address) No
The charity Bank details No

We also collect details of the person using the service, including their name, role at charity, telephone number, and email address.

Why does the Commission ask for this information? What happens if it’s not provided?

In broad terms, we collect information through the service to fulfil our functions and objectives as the regulator of charities and under the Charities Act. You can find out more about our functions and objectives in our main privacy notice.

Information about the charity, charity trustees and public charity contact details

Section 29 of the Charities Act 2011 requires us to keep a register of charities which must contain the name of the charity and other particulars determined by the Commission. The above information comprises register particulars and we are required to collect and process that information by law.

We also collect the above information so we can fulfil our wider functions and objectives as the regulator of charities in England and Wales. For example: publishing the names of trustees and activities of charities promotes public trust and confidence in charities and collecting contact and bank account details allows us to properly investigate allegations of misconduct or mismanagement.

S35(3) of the Charities Act 2011, requires trustees to notify us if there is any change to the particulars entered in the register. If you are a charity trustee and you fail to provide information where there has been such a change, you may be in breach of charity law.

You are also obliged to provide true and accurate information to us. It is an offence under S60 Charities Act 2011 to provide the Commission with information used in the discharge of its functions which is false or misleading

Charity contact details

We collect the contact details for the charity’s designated contact to ensure that we can contact an authorised person within the charity if we require further information while carrying out our functions and objectives.

Information about the person using the service

We collect data about the person using the service because:

  • we may need to contact you about your submission if we require any clarification or further information
  • we need an auditable record of submissions made on behalf of the charity
  • by entering the information you are declaring that you have the authority to do so
  • you are obliged to provide true and accurate information to us. It is an offence under S60 Charities Act 2011 to provide the Commission with information used in the discharge of its functions which is false or misleading

These details will be provided via your MCCA login and be automatically populated.

How we process personal data provided through the service

Internal use

Data submitted through the service is transferred into our internal database where it will be stored, reviewed and used by us in line with our statutory functions and objectives. Further information on how we process personal data can be found in our main privacy notice.

We will also use the personal data to verify users when setting up Charity Commission Accounts. Doing this ensures we provide a level of security in ensuring only those that require an account are granted one.

Notification

If the service is used to add or delete an individual or update their details on their behalf, and we hold an email address for that individual, we will email them notifying them of this change.

We will also send a confirmation to the person who made the change. If it was not the charity contact, they will also be notified. Only the names of the individual added or deleted, or whose details were updated will be shared.

Publication

Some information submitted through the service is routinely and automatically made available to the public on our website. Information published in this way is identified in the table above.

In certain circumstances we will withhold information from publication. We refer to this as a ‘dispensation’. Find further information on how dispensations are granted.

Even when we do not publish information submitted through the service or dispensation is granted, it is important to note that current trustee’s details are visible to their charity’s contact and super administrator. This is because dispensation relates to the public display of the trustee’s name only. However, each trustee does have the option to hide their personal data from the charity contact and super administrator of all charities they are a trustee for once they have an MCCA account. A change to these details will update them across each charity for which that person holds an active role.

You should also be aware that we provide extracts of publicly available register data to other organisations who may use it for their own purposes.

Third Party processors

To provide the service, we use data processors who are third parties who provide technology and data services to us. These processors include Azure and Data8. Although your personal data may be transferred to these third parties, we have contracts in place with our data processors which mean that they cannot do anything with your personal information unless we have instructed them to do it.

Sharing of information

As explained above, certain information will be automatically published on our website unless a dispensation is granted.

We may share personal data submitted through the service:

  • where it is necessary to share the information in order to further our statutory objectives or functions
  • with other Government departments, public authorities, law enforcement agencies and regulators
  • in response to requests for information, for example pursuant to the FOIA, the EIR, or our common law powers of disclosure
  • with third party processors and service providers
  • to a court, tribunal, party or prospective party where the disclosure necessary in order to exercise, establish or defend a legal claim
  • where we are ordered to by a court or tribunal or where we are otherwise required to do by law

You can find out more information about data sharing and further processing in our main privacy notice.

The table below sets out the primary legal bases we rely on for processing data we obtain through the service. However we may process your data further for a compatible purposes and/or on other legal bases, further information is available in our main privacy notice.

Legal basis for processing
Categories of personal data Personal Data (Article 6(1) GDPR) Special categories of personal data/criminal conviction data
Identity details
Contact details
Role details
Charity details
(see table above)
Processing for updating register particulars
(c) processing is necessary for compliance with a legal obligation to which the controller is subject
Other Processing
(e)
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
Article 9(2) GDPR
(g) Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject
Conditions under Part 2 of Schedule 1 of the Data Protection Act 2018:
Statutory etc and government purposes;
Preventing or detecting unlawful acts;
Protecting the public against dishonesty etc;
Regulatory requirements relating to unlawful acts and dishonesty etc.

We may process your personal data on more than one basis depending upon the purpose for which we are using your data. Please email us at RIGA@charitycommission.gov.uk if you need details about the specific legal basis we are relying on to process your personal data.

Retention

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. For Register Particulars, the data is retained for 10 years from the date of removal from the Register.

Audit data relating to activity using your MCCA account, including accessing this service, is retained for two years.

It is important to note that in certain circumstances we retain personal data received in connection with a particular charity even after a person’s involvement with a charity has ended and after the charity is no longer registered.

Your rights

You have a number of rights under the General Data Protection Regulation (GDPR), including the right to access your data and the right to restrict or object to further processing and the right to complain to the Information Commissioner’s Office. You can find out more about your rights as a data subject, and details of how to contact our Data Protection Officer and the Information Commissioner’s Office (ICO), in our main privacy notice.