Data Protection Policy

This data protection policy describes how and why we use data and information about people or arising from their activities. This use falls under the following categories:

This data protection policy provides details about our data collection and use under each of these categories, your rights around data about you, and how to provide feedback and complaints about our data processing.

As a small, non-data-intensive organisation, we hold relatively little data. We do not use data for big data analytics or machine learning, and the data we hold is never processed to create profiles or recommendations in ways that mean data about other people affects what we think about you. This limits the wider and collective impact that the data we hold and use might have. If you’d like to learn more about how we designed this data protection policy and why, please take a look at this post. This policy was last reviewed and approved by the whole team on 28 October 2024.

Recruitment and selection data

We collect data from candidates when we run recruitment exercises or put out calls for proposals or to take part in our fellowship programme.

This data includes contact information; CVs; covering letters; responses to surveys (which may include information about protected characteristics) and written exercises; and our own notes about and assessment of candidates.

These are held in a protected area of our Google Drive and are only accessible to those involved in the recruitment or selection process itself.

We initially process this data to select people under the legitimate interests lawful basis:

  • Purpose: we use this data to select appropriate people for the roles and opportunities we offer
  • Necessity: we cannot select appropriate people for these roles and opportunities without having and processing information about them
  • Balancing test: we believe people who put themselves forward as candidates for roles or other opportunities expect it to be processed for that purpose, and that it is of benefit to them for us to do so

Some of this data may reveal information about the candidate’s racial or ethnic origin, or sexual orientation, or health, which is special category data. For example, we may ask candidates whether they belong to any under-represented communities. We collect and process this data to advance equality of opportunity, which is a substantial public interest condition for processing special category data.

This data is deleted immediately after the completion of the recruitment or selection process. You may object to this processing and withdraw from the recruitment or selection process at any time by emailing dpo@connectedbydata.org, in which case we bring forward that deletion process.

If you’re an unsuccessful candidate we will ask you if we can retain information about you (indefinitely) to enable us to get in touch if there are future vacancies or opportunities at CONNECTED BY DATA. If you agree to this, we process this data under the consent lawful basis. Again, you can withdraw your consent at any time by emailing dpo@connectedbydata.org, in which case we will not contact you directly about future opportunities.

We recognise that this use of data gives people who have previously applied for roles or opportunities with us an advantage in future roles and opportunities. However, we always also advertise roles and opportunities openly on our website and through all our social media accounts and newsletters, so there are other ways to gain awareness of them without us holding data about you.

Employee, associate and fellow data

We collect and hold data about employees, associates, and fellows in order to satisfy our responsibilities as an employer and contractor of services, including paying them and meeting our duty of care towards them.

This data includes contact information, contracts, bank details, payroll data, health and safety records, activities and performance at work, and so on.

This data is held in different places:

  • Contracts are held in a protected area of our Google Drive
  • Health and safety information is held in Google Drive
  • Payroll and invoicing data is stored within FreeAgent (our financial software)
  • Payment and bank details are held within Starling (our banking software)
  • Records of activities and performance at work are held in Google Drive

We process this data under the contract lawful basis as it is necessary for us to have it and use it to fulfil our contractual obligations with employees, associates and fellows.

Some of this data may reveal information about employee, associate or fellow’s health, and sometimes that of their family, which is special category data. For example, we keep track of days taken off sick, on maternity or paternity leave, or compassionate leave. We collect and process this data for the purpose of employment, social security and social protection.

To meet our legal and accounting requirements, we will retain contract, payroll and invoicing data, and records of your activities at work, for a period of up to five years after the end of our contract with you. Other data (about health and safety, and payment information) will be deleted when you finish being a fellow, associate or employee with us.

After our contract with you ends, we do ask employees, associates and fellows if we can retain information about you to enable us to get in touch if there are future vacancies or opportunities at CONNECTED BY DATA. If you agree to this, we process this data under the consent lawful basis. You can withdraw your consent at any time by emailing dpo@connectedbydata.org, in which case we will not contact them directly about future opportunities.

Research data

We collect data that supports the research we carry out on our own behalf or that of clients.

This data includes contact information, the results of surveys, and records of interviews and workshops that you take part in. We will often record interviews or workshops through Zoom or other web conferencing platforms, and automatically transcribe them using tools such as Otter.ai.

This data is held in cloud services such as AirTable or Notion and protected areas of Google Drive. Access to things like interview transcripts is limited to the researchers involved in the research. However, we usually share the affiliations, and sometimes names, of people we engage in research, to help others assess its validity, and to acknowledge participants’ contributions. We will never share interview or meeting transcripts, or attribute direct quotes, without your permission.

We process contact information – which is often provided to us by clients or gathered from public sources – under the legitimate interests lawful basis:

  • Purpose: we use this data to contact people and request their participation in our research
  • Necessity: we cannot identify and contact people to participate in our research without having and processing information about them
  • Balancing test: we believe most people who we contact to take part in research will themselves be interested in the results of that research, which we share with them or publicly; even if they are not, we do not engage in excessive or intrusive use of this information (we send one request and one follow up)

We process the results of surveys, and the records of interviews and workshops under the consent lawful basis. Our surveys and interview/workshop scripts include specific reference to what data is collected, what it is used for, the degree to which it will be shared, and how long it will be retained, and you will be explicitly asked for consent for that data processing, which is recorded as part of the survey or in a separate consent document for each interview.

We delete your research related data after a period of one year following the completion of the research. We keep it for this time in case there is any follow-up work involving contacting the same participants or re-analysis of the research data.

You may object to this processing and data retention at any time, including during the research process, by emailing dpo@connectedbydata.org, in which case we bring forward that deletion process.

We also ask participants in research if we can retain information about you in our Google Drive to enable us to get in touch about the results of the research, and for future research studies. If you agree to this, we process this data under the consent lawful basis. You can withdraw your consent at any time by emailing dpo@connectedbydata.org.

We recognise that this use of data means that people who have previously taken part in research are more likely to know about and take part in future research, which may mean they are both over-represented and over-burdened. We always also aim to identify appropriate participants in our research through other techniques (such as snowball sampling, or public or targeted calls for participation) so that we are not over-reliant on previous participants.

Stakeholder research

We collect and hold data about our stakeholders. These are people and organisations who we want to be interested in our work, including targets of our campaigning; potential funders and partners; and organisations we think should be adopting more participatory data governance practices.

This data includes information about affiliations; contact information; notes about and links to public statements; and our own assessments of those stakeholders in relation to our activities. Most of this data is publicly available (the exception being our own assessments of our stakeholders), for example on people’s websites or social media accounts. We do not engage in highly targeted or intrusive data collection, or purchase information about our stakeholders.

If you are a contact of CONNECTED BY DATA your name, email address and organisation are stored within our CRM (Mailchimp) on the basis of:

  • Consent, where a person subscribes to our content via our newsletter signup form or via checking a consent box within a survey
  • Legitimate interest, for recording information about our contacts so that we can invite them to relevant CONNECTED BY DATA activities

Within our CRM, you can control the storing your information through the “email marketing” subscriber status:

  • Subscribed: a person who has given consent (opted in)
  • Non-subscribed: a person whose information we have stored based on legitimate interest
  • Unsubscribed: a person who has withdrawn consent from receiving email campaigns

You may also choose to ‘unsubscribe’ direct with Mailchimp / our newsletter, at any time. It is important to note that the “Unsubcribed” status does not reflect a withdrawal of consent from all CONNECTED BY DATA communications, but specifically from receiving newsletters. We may therefore retain your “unsubscribed” within our contact list and only engage with you via individual emails. You can ask to have your information removed from our CRM entirely and to not receive any future communications from us. Please contact dpo@connectedbydata.org to request this deletion.

If you have “subscribed” on our CRM you will receive our newsletters, Data Policy Digests and other mailings as per your request.** **Newsletters, where no member information is visible to anyone else, are also published on our website so you do not have to subscribe to read them.

Stakeholder research data is stored within cloud services such as Google Drive, AirTable or Notion and may be shared with associates who work with us and are contractually obliged to adhere to this privacy policy.

We process stakeholder research under the legitimate interests lawful basis:

  • Purpose: we use this data to carry out our campaigning and fundraising work
  • Necessity: we cannot do our work effectively without having a good idea about who to target for campaigns, fundraising and partnerships
  • Balancing test: we believe that people have a reasonable expectation of being contacted about work that might be of interest to them, that people will make notes during meetings with them, and that people will use contact information that they have put in the public domain

We generally use this data to get in touch with people, for example to invite people to speak at or participate in events we think might be of interest to them, or to circulate briefings. We do not use this data for bulk emailing or marketing purposes.

We store information in our CRM about which CONNECTED BY DATA team members have been in communication with you, using tags.

This data is not regularly deleted. However, you may object to this processing at any time by emailing dpo@connectedbydata.org, in which case you will be removed from our stakeholder database and added to a separate list that we keep of people who do not want to be contacted by us.

Events and meetings

We hold data about you if you have signed up to events that we organise and/or met with a member of the CONNECTED BY DATA team. There are three types of these:

  • Public events, where there is no sign up process and people who attend are in control of how much information they share during the meeting
  • Private events, where people sign up for the event and then get invited; we will provide ways for attendees to make their contact details known to other attendees
  • Meetings, which are arranged between attendees, and for which names and email addresses are visible to all attendees

The data we will hold on you includes contact information and information about your areas of interest. We sometimes also record events, which can capture data about your contributions.Data about event sign ups is temporarily managed on Google Sheets within Google Drive. Event recordings may be captured through Zoom or other web conferencing platforms, and are stored on protected areas of Google Drive. Some of your data, for private events and meetings, is captured in Google Calendar.

After an event, your data is uploaded and stored within our CRM; where consent has been given, this includes subscription to our communications. Any spreadsheets created to coordinate invitations and attendees are deleted once the data has been added to our CRM and summaries of the event have been circulated.

For events that have required online ticketing we will use Eventbrite or Luma and their data privacy policies (as linked) will apply. We will use such platforms infrequently and only when the ticketing functionality is necessary. No later than six months after the event we will: delete the event and all associated data from Eventbrite; and will on Luma make events “private” but are unable to delete the data.

When virtual events are recorded, you have the option to turn off your camera, use blurred backgrounds or take other privacy preserving steps. We will remind participants of these options, and will consider reasonable requests not to record sessions where recording would limit your ability to participate freely. We will make you aware if the recording is for supporting a write up or publishing on YouTube/our website. Recorded events will either be added to our YouTube channel/our website or deleted immediately after write ups are completed and made available.

Where we have your personal data as an event attendee, we process data you have provided under the legitimate interests lawful basis:

  • Purpose: we use this data to provide attendees with information about the event, to write up events, and to follow up with attendees
  • Necessity: we cannot run events effectively without having this information
  • Balancing test: we believe that people have a reasonable expectation of being contacted about events that they have signed up for

We store information in our CRM about your engagement in CONNECTED BY DATA events, using “tags”. We may log information on which events you have been invited to, when you agreed to attend an event, and when you attended an event. This data will be kept indefinitely or until you object. You may object to this processing and ask not to be contacted about the event at any time by emailing dpo@connectedbydata.org.

We ask you, if you attend an event, if we can retain information about you to enable us to get in touch about future events (usually through the event registration process). If you agree to this, we process this data under the consent lawful basis. Again, you can withdraw your consent at any time by emailing dpo@connectedbydata.org, in which case we will not contact you directly about future events or the topics of the events you attended.

We recognise that this use of data gives people who have previously attended events greater access to future events. However, we always also advertise events openly on our website and through all our social media accounts and newsletters, so there are other ways to gain awareness of them without us holding data about you.

Discord

We operate a Discord server, which is open to anyone to join.

We gain some access to information about you if you join the server, depending on what you share in your Discord profile and through any messages you send on Discord. Other people who join the server can also see this information.

We only use this information to interact with people on Discord, and to collate aggregate information about our reach (ie the number of people who have joined the server).

People who join the server are free to leave at any time. You can also ask for us to remove you from that server by emailing dpo@connectedbydata.org.

You can delete posts that you made on Discord yourself, or by emailing dpo@connectedbydata.org and asking us to do it for you. You can also email dpo@connectedbydata.org or contact us on the #meta channel on the Discord server if anyone posts a harmful message, and we will remove it.

Our reach

We have a website and operate social media accounts. Keeping track of numbers of visitors, followers, engagement and so on enables us to understand our reach, and the impact of our activities to grow and expand it.

We do not hold personally identifiable data to understand our reach, and do not use cookies to track people on our website. However, this data is generated from people’s behaviour.

Analytics data for our social media accounts is provided by those social media platforms.

Our website analytics are provided by Plausible, and our dashboard is public. The details about how Plausible generates these statistics are available on their website: this does not include the collection of any personally identifiable data (including IP addresses).

Your rights

Under data protection law, you have rights including:

Your right of access - You have the right to ask us for copies of your personal information.

Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.

Your right to object to processing - You have the right to object to the processing of your personal information in certain circumstances.

Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Please contact us at dpo@connectedbydata.org if you wish to make a request.

Feedback and complaints

We welcome feedback, complaints and objections to our use of data about you, or our wider data practices, whether or not we hold data about you personally, and from organisations as well as individuals. Please email these to dpo@connectedbydata.org.

We aim to resolve these rapidly and transparently within a month. If resolution isn’t possible within that time (for example if we cannot come to an agreement with you about the steps we should take), we will work with you to convene an independent panel to decide what we should do, and adhere to the judgement of that panel.

You can also complain to the ICO if you are unhappy with how we have used your data.

You can contact the ICO at:

Information Commissioner’s Office

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk

Need help?

Do you collect, use or share data?

We can help you build trust with your customers, clients or citizens

 Read more

Do you want data to be used in your community’s interests?

We can help you organise to ensure that data benefits your community

 Read more

Want to get involved?