Data Protection Policy
This data protection policy describes how and why we use data and information about people or arising from their activities. This use falls under the following categories:
- recruitment and selection of employees, associates and fellows
- employees, associates and fellows
- our research activities
- our own stakeholder research
- events we organise
- newsletters and mailing lists we steward
- our Discord server
- our reach
This data protection policy provides details about our data collection and use under each of these categories, your rights around data about you, and how to provide feedback and complaints about our data processing.
As a small, non-data-intensive organisation, we hold relatively little data. We do not use data for big data analytics or machine learning, and the data we hold is never processed to create profiles or recommendations in ways that mean data about other people affects what we think about you. This limits the wider and collective impact that the data we hold and use might have. If you’d like to learn more about how we designed this data protection policy and why, please take a look at this post.
Recruitment and selection data
We collect data from candidates when we run recruitment exercises or put out calls for proposals or to take part in our fellowship programme.
This data includes contact information; CVs; covering letters; responses to surveys (which may include information about protected characteristics) and written exercises; and our own notes about and assessment of candidates.
These are held in a protected area of our Google Drive and are only accessible to those involved in the recruitment or selection process itself.
We initially process this data to select people under the legitimate interests lawful basis:
- Purpose: we use this data to select appropriate people for the roles and opportunities we offer
- Necessity: we cannot select appropriate people for these roles and opportunities without having and processing information about them
- Balancing test: we believe people who put themselves forward as candidates for roles or other opportunities expect it to be processed for that purpose, and that it is of benefit to them for us to do so
Some of this data may reveal information about the candidate’s racial or ethnic origin, or sexual orientation, or health, which is special category data. For example, we may ask candidates whether they belong to any under-represented communities. We collect and process this data to advance equality of opportunity, which is a substantial public interest condition for processing special category data.
The majority of this data is deleted immediately after the completion of the recruitment or selection process. You may object to this processing and withdraw from the recruitment or selection process at any time by emailing email@example.com, in which case we bring forward that deletion process.
We also ask unsuccessful candidates if we can retain information about them to enable us to get in touch with them if there are future vacancies or opportunities at CONNECTED BY DATA. If you agree to this, we process this data under the consent lawful basis. Again, you can withdraw your consent at any time by emailing firstname.lastname@example.org, in which case we will not contact you directly about future opportunities.
We recognise that this use of data gives people who have previously applied for roles or opportunities with us an advantage in future roles and opportunities. However, we always also advertise roles and opportunities openly on our website and through our Twitter and LinkedIn accounts, so there are other ways to gain awareness of them without us holding data about you.
Employee, associate and fellow data
We collect and hold data about employees, associates, and fellows in order to satisfy our responsibilities as an employer and contractor of services, including paying them and meeting our duty of care towards them.
This data includes contact information, contracts, bank details, payroll data, health and safety records, activities and performance at work, and so on.
This data is held in different places:
- Contracts are held in a protected area of our Google Drive
- Health and safety information is held in AirTable
- Payroll and invoicing data is stored within FreeAgent (our financial software)
- Payment and bank details are held within Starling (our banking software)
- Records of activities and performance at work are held across AirTable and documents in Google Drive
We process this data under the contract lawful basis as it is necessary for us to have it and use it to fulfil our contractual obligations with employees, associates and fellows.
Some of this data may reveal information about employee, associate or fellow’s health, and sometimes that of their family, which is special category data. For example, we keep track of days taken off sick, on maternity or paternity leave, or compassionate leave. We collect and process this data for the purpose of employment, social security and social protection.
To meet our legal and accounting requirements, we will retain contract, payroll and invoicing data, and records of your activities at work, for a period of up to five years after the end of our contract with you. Other data (about health and safety, and payment information) will be deleted when you finish being a fellow, associate or employee with us.
After our contract with them ends, we do ask employees, associates and fellows if we can retain information about them to enable us to get in touch with them if there are future vacancies or opportunities at CONNECTED BY DATA. If you agree to this, we process this data under the consent lawful basis. You can withdraw your consent at any time by emailing email@example.com, in which case we will not contact them directly about future opportunities.
We collect data that supports our research we carry out on our own behalf or that of clients.
This data includes contact information, the results of surveys, and records of interviews and workshops that people take part in. We will often record interviews or workshops through Zoom or other web conferencing platforms, and automatically transcribe them using tools such as Otter.ai.
This data is held in AirTable and protected areas of Google Drive. Access to things like interview transcripts is limited to the researchers involved in the research. However, we usually share the affiliations, and sometimes names, of people we engage in research, to help others assess its validity, and to acknowledge participants’ contributions. We will never share interview or meeting transcripts, or attribute direct quotes, without your permission.
We process contact information – which is often provided to us by clients or gathered from public sources – under the legitimate interests lawful basis:
- Purpose: we use this data to contact people and request their participation in our research
- Necessity: we cannot identify and contact people to participate in our research without having and processing information about them
- Balancing test: we believe most people who we contact to take part in research will themselves be interested in the results of that research, which we share with them or publicly; even if they are not, we do not engage in excessive or intrusive use of this information (we send one request and one follow up)
We process the results of surveys, and the records of interviews and workshops under the consent lawful basis. Our surveys and interview/workshop scripts include specific reference to what data is collected, what it is used for, the degree to which it will be shared, and how long it will be retained, and participants are explicitly asked for consent for that data processing, which is recorded as part of the survey or in a separate consent document for each interview.
We delete research data after a period of one year following the completion of the research. We keep it for this time in case there is any follow-up work involving contacting the same participants or re-analysis of the research data.
You may object to this processing and data retention at any time, including during the research process, by emailing firstname.lastname@example.org, in which case we bring forward that deletion process.
We also ask participants in research if we can retain information about them to enable us to get in touch with them about the results of the research, and for future research studies. If you agree to this, we process this data under the consent lawful basis. You can withdraw your consent at any time by emailing email@example.com.
We recognise that this use of data means that people who have previously taken part in research are more likely to know about and take part in future research, which may mean they are both over-represented and over-burdened. We always also aim to identify appropriate participants in our research through other techniques (such as snowball sampling, or public or targeted calls for participation) so that we are not over-reliant on previous participants.
We collect and hold data about our stakeholders. These are people and organisations who we want to be interested in our work, including targets of our campaigning; potential funders and partners; and organisations we think should be adopting more participatory data governance practices.
This data includes information about affiliations; contact information; notes about and links to public statements; and our own assessments of those stakeholders in relation to our activities. Most of this data is publicly available (the exception being our own assessments of our stakeholders), for example on people’s websites or social media accounts. We do not engage in highly targeted or intrusive data collection, or purchase information about our stakeholders.
We process stakeholder research under the legitimate interests lawful basis:
- Purpose: we use this data to carry out our campaigning and fundraising work
- Necessity: we cannot do our work effectively without having a good idea about who to target for campaigns, fundraising and partnerships
- Balancing test: we believe that people have a reasonable expectation of being contacted about work that might be of interest to them, that they expect people to make notes during meetings with them, and that they expect people to use contact information that they have put in the public domain
We generally use this data to get in touch with people, for example to invite people to speak at or participate in events we think might be of interest to them, or to circulate briefings. We do not use this data for bulk emailing or marketing purposes.
This data is not regularly deleted. However, you may object to this processing at any time by emailing firstname.lastname@example.org, in which case you will be removed from our stakeholder database and added to a separate list that we keep of people who do not want to be contacted by us.
Events and meetings
We hold data about people who have signed up to events that we organise and people we have meetings with. There are three types of these:
- Public events, where there is no sign up process and people who attend are in control of how much information they share during the meeting
- Private events, where people sign up for the event and then get invited; we will provide ways for attendees to make their contact details known to other attendees
- Meetings, which are arranged between attendees, and for which names and email addresses are visible to all attendees
This data includes contact information and information about attendee areas of interest. We sometimes also record events, which can capture data about the contributions of attendees.
Data about event sign ups is kept within AirTable. Event recordings may be captured through Zoom or other web conferencing platforms, and are stored on protected areas of Google Drive. Attendee data for private events and meetings is captured in Google Calendar.
When virtual events are recorded, participants have the option to turn off cameras, use blurred backgrounds or take other privacy preserving steps. We will remind participants of these options, and will consider reasonable requests not to record sessions where recording would limit the ability of individuals to participate freely.
Where we have personal data about event attendees, we process data they provide under the legitimate interests lawful basis:
- Purpose: we use this data to provide attendees with information about the event, to write up events, and to follow up with attendees
- Necessity: we cannot run events effectively without having this information
- Balancing test: we believe that people have a reasonable expectation of being contacted about events that they have signed up for
The majority of data around events and their attendance is deleted within a month of the event (to allow for time to write them up and circulate those summaries). However, for our impact metrics we do retain information about:
- the number of people who attended
- the organisations who were represented
You may object to this processing and ask not to be contacted about the event at any time by emailing email@example.com, in which case we bring forward that deletion process.
We also ask event attendees if we can retain information about them to enable us to get in touch with them about future events, or the topic of the event. If you agree to this, we process this data under the consent lawful basis. Again, you can withdraw your consent at any time by emailing firstname.lastname@example.org, in which case we will not contact you directly about future events or the topics of the events you attended.
We recognise that this use of data gives people who have previously attended events greater access to future events. However, we always also advertise events openly on our website and through our Twitter and LinkedIn accounts, so there are other ways to gain awareness of them without us holding data about you.
Mailing lists and newsletters
We operate a few mailing lists and newsletters which are designed to keep people up to date with topics related to our mission and their interests.
This data includes contact information about members of mailing lists and subscribers of newsletters, and details about the mailing lists they are members of and newsletters they subscribe to. When members of mailing lists post to the mailing list, we hold data about those posts as well.
All this data is managed within Google Groups. We operate three types:
- Newsletters, where no member information is visible to anyone else and subscribers receive newsletters we send – these newsletters are also published on our website so you do not have to subscribe to read them.
- Mailing lists, which anyone can post to (whether a member or not) and members receive messages in their inbox – information about the members of the mailing list is not available publically, but anyone can see posts that are made to the mailing list. We moderate posts to these lists, so they only appear if we don’t think they are harmful.
- Email groups, which only members can post to, and where members can see who else is part of the email group – these posts are only visible to members of the email group. We do not moderate posts to these lists.
People are only subscribed to newsletters or made members of mailing lists and email groups if they give explicit consent. Every post from any of these includes a footer that enables people to unsubscribe from that newsletter, list or group themselves. You can also withdraw your consent at any time by emailing email@example.com asking to be removed as a subscriber or member from a specific newsletter, list or group, or from all of them.
You can remove posts that you made to a mailing list or email group yourself, or by emailing firstname.lastname@example.org and asking us to do it for you. You can also email email@example.com if anyone posts a harmful message to a mailing list or email group, and we will remove it.
Note that although this will delete the post from our server (and from publication on the web, if it was a post to a mailing list), we cannot delete it from members’ email inboxes.
We operate a Discord server, which is open to anyone to join.
We gain some access to information about people who join the server, depending on what they share in their Discord profile and through any messages they send on Discord. Other people who join the server can also see this information.
We only use this information to interact with people on Discord, and to collate aggregate information about our reach (ie the number of people who have joined the server).
People who join the server are free to leave at any time. You can also ask for us to remove you from that server by emailing firstname.lastname@example.org.
You can delete posts that you made on Discord yourself, or by emailing email@example.com and asking us to do it for you. You can also email firstname.lastname@example.org or contact us on the #meta channel on the Discord server if anyone posts a harmful message, and we will remove it.
We have a website and operate social media accounts. Keeping track of numbers of visitors, followers, engagement and so on enables us to understand our reach, and the impact of our activities to grow and expand it.
Analytics data for our social media accounts is provided by those social media platforms.
Our website analytics are provided by Plausible, and our dashboard is public. The details about how Plausible generates these statistics are available on their website: this does not include the collection of any personally identifiable data (including IP addresses).
Under data protection law, you have rights including:
Your right of access - You have the right to ask us for copies of your personal information.
Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.
Your right to object to processing - You have the right to object to the processing of your personal information in certain circumstances.
Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
Please contact us at email@example.com if you wish to make a request.
Feedback and complaints
We welcome feedback, complaints and objections to our use of data about you, or our wider data practices, whether or not we hold data about you personally, and from organisations as well as individuals. Please email these to firstname.lastname@example.org.
We aim to resolve these rapidly and transparently within a month. If resolution isn’t possible within that time (for example if we cannot come to an agreement with you about the steps we should take), we will work with you to convene an independent panel to decide what we should do, and adhere to the judgement of that panel.
If you are a data subject, and you are unhappy with how we have used data about you, you can also complain to the ICO.
You can contact the ICO at:
Information Commissioner’s Office
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk