This policy particularly applies to information we collect about the following:
- visitors to our website or other sites we operate;
- online and in-person activity or event participants;
- people who email us or contact WFD in other ways;
- people who make enquiries about WFD’s programmes, events, and activities;
- people who contacts us in relation to information requests, complaints and general queries;
- job applicants and current and former staff; and
- consultants, experts, or the staff of our partners and suppliers.
WFD is committed to protecting the privacy and confidentiality of personal information and to maintaining physical, electronic, and procedural safeguards to protect personal information in our care.
WFD is the Data Controller for the purposes of applicable law for any personal information you give WFD.
1. Key principles of good data privacy
Within WFD, we will endeavour to comply with six privacy principles at all times.
- Personal data should be fairly and lawfully processed and should be done so in a transparent manner, ensuring that you are aware of both what data we are processing and why.
- Personal data should be processed for limited purposes and the purpose must be specified.
- Personal data shall be adequate, relevant and not excessive, meaning we will only collect as much as we need to carry out our essential processing.
- Personal data should be accurate and up to date: if it is not, we will correct it within 1 month of receiving the request to correct.
- Personal data should not be kept longer than necessary. To ensure this we observe an information retention policy.
- Personal data must be secure. WFD has in place appropriate technical and organisational measures to prevent accidental or deliberate loss, destruction or damage.
2. How you can contact us
The Data Protection Officer
Westminster Foundation for Democracy
London, SW1A 2EG
3. Notification of changes to this policy
4. Information we routinely collect
When someone visits www.wfd.org or our online applications hosted by our supplier, Knack Inc, we collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. We collect this information in a way which does not identify anyone. We do not make any attempt to find out the identities of those who visit our website.
If we do want to collect personally identifiable information through our website, we will be transparent about this, by means of an information notice at the point of collection of the data. We will make it clear when we collect personal information and will explain what we intend to do with it.
4.2 Information collected by automated means
We collect certain information by automated means when you visit our sites, such as how many users visit our sites and the pages they access. By collecting this information, we learn how to best tailor the sites to our visitors. We collect this information through various means such as “cookies,” “web beacons” and IP addresses, as explained below.
4.3 Information we collect when you use the search function and social media integrations
We may use Google Analytics or similar tools to monitor search activity. No user-specific data is collected. These reports collate, for example, how many users visited our sites, what pages have been browsed, and the geographic location of the users. The information collected through the use of analytics may include, for example, your IP address, the website from which you visited us, the type of device you used and your search query that led you to the sites. Your IP address is masked on our systems and will only be used on a need-to-know basis to resolve technical issues, to administer our sites and to understand visitor preferences.
WFD’s website may use social media features and widgets (such as “like” and “share” buttons or widgets ) known as SM Features. These are provided and operated by third party companies such as Facebook or Twitter. They are either hosted by a third party or hosted directly on our website. SM Features may collect information such as the page you are visiting on our website and your IP address, and may set cookies to enable the SM Feature to function properly.
If you are logged into your account with the third-party company, then the third party may be able to link information about your visit to and your use of WFD’s website, to your social media account with them. Similarly, your interactions with the SM Features may be recorded by the third party. In addition, the third-party company may send us information in line with their policies, such as your name, profile picture, gender, friend lists and any other information you have chosen to make available. You can manage the sharing of information and opt out from targeted marketing via your privacy settings for the third-party social media platform.
4.4 Information collected by third-party linked sites
5. Personal data that we may ask you to provide
You may choose to provide personal information (such as your name, address, telephone number, and email address) on our website or other sites we operate. Here are the ways you may provide the information and the types of information you may submit:
If you communicate with us through the “contact us” page on our sites, we may ask you for information such as your name, email address and telephone number so we can respond to your questions and comments.
Any email sent to us, including any attachments, is monitored for malicious content and retained using our IT platform operated by Microsoft Inc.
When we receive an information request, such as a Freedom of Information Request, comments, compliments, or complaints, we may generate a file. This normally contains the identity of the requester or complainant.
WFD will only use the personal information collected to process the matter and to check on the level of service provided. We do compile and publish Freedom of Information responses but not in a form which identifies anyone.
Personal information contained in these files will be kept in line with WFD’s document retention guidelines. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.
5.2 Partners and suppliers
WFD routinely exchanges business critical information, such as contact names, phone numbers, and email addresses of our partners and suppliers. This information is collected, held on our IT platform, operated by Microsoft Inc, and where necessary shared, for the purposes of:
- routine communication;
- communication generally about WFD and its work and other possible service delivery opportunities;
- due diligence purposes;
- internal and donor reporting; and
- collection or delivery of goods and services.
The relevant Grant Agreement or Contract for Services will set out the legal arrangements for the processing of personal data on or by the expert or consultant.
Personal information related to the staff of partners or suppliers may be accessible across WFD’s network of offices and sponsored political party offices around the world and/or shared with third parties, including but not limited to the Foreign, Commonwealth and Development Office and our donors within or outside the UK.
Individuals who wish to be considered for an expert assignment or consultancy opportunity with WFD as an expert will be asked to provide personal information. This information is collected, held on our IT platform operated by Microsoft Inc., and where necessary shared, for the purposes of:
- communication about an assignment;
- communication generally about WFD and its work and other possible assignments;
- due diligence purposes;
- internal and donor reporting;
- travel management;
- safety and security; and
- delivery of services.
The due diligence questionnaire for experts and consultants explains why information will be collected and with whom it may be shared. The relevant consultancy agreement will set out the legal arrangements for the processing of personal data on or by the expert or consultant.
Personal information related to experts or consultants may be accessible across WFD’s network of offices and sponsored political party offices around the world and/or shared with third parties, including but not limited to the Foreign, Commonwealth and Development Office and our donors within or outside the UK.
WFD will routinely collect data from participants involved in WFD-sponsored activities or events. These may be held physically, in-person, or virtually using an online platform. This data will usually include the participant’s name, gender, age bracket, position title and affiliated organisation (if applicable), and often their email address. We may from time to time also ask you to disclose any disabilities. This information is collected, held on our IT platform operated by Microsoft Inc. or a platform hosted by our supplier, Knack Inc, and where necessary shared, for the purposes of:
- due diligence;
- travel management;
- Reasonable adjustments to logistical arrangements for events and activities, if required;
- internal and donor monitoring and evaluation;
- internal and external audit; and
- communication generally about WFD and its work and additional possible events or activities.
Personal information related to participants in events or activities may be accessible across WFD’s network of offices and sponsored political party offices around the world and/or shared with third parties, including but not limited to the Foreign, Commonwealth and Development Office and our donors within or outside the UK.
In addition, we may also take photographs or record films of our activities or events. Sharing photographs and films of our activities helps us celebrate the successes and achievements of our team, our partners and participants in our programmes and raises awareness of our work. We will always explain why we are recording your image, how we plan to use it, and ask for your consent. We will take special care with any images of children or vulnerable adults. Any images will be retained in a secure environment and access to them will be restricted according to the ‘need to know’ principle.
5.5. Visitors to WFD offices
When working on site, either as a contractor providing delivery of goods and/or services, or visiting the site for meetings, your personal information is used only for the purpose of fulfilling the appropriate task or meeting. The exception would be in the event of an unforeseen incident or other such issue arising.
WFD must record all accident reports, asbestos reports and near miss episodes as well as data and security incidents and business continuity incidents, all of which are kept in accordance with legal requirements, either manually or in suitable, approved software.
These incidents may necessitate an internal investigation and may require the sharing of your data or sensitive personal data as well as associated documentation that is essential to the purpose of the legal requirement to the relevant authorities in the UK including (but not limited to):
- Health and safety executive;
- the Information Commissioner;
- the Police or other investigatory authorities;
- emergency services;
- legal process such as solicitors and courts;
- landlords and appointed contractors; and
- any equivalent body in a WFD location outside of the UK.
WFD uses an online recruitment and HR information system managed by a third-party processor, People Apps Limited.
During the external recruitment process, any information provided will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary. Personal information may be shared with our internal resources team, the hiring managers and the interview panel. When individuals apply to work at WFD, we will only use the information they supply to us to process their application and to monitor recruitment statistics.
You may be asked to participate in assessments, complete job-specific tests, or to attend a virtual or face-to-face interview. The information generated during the process such as completed tests and interview notes will be held by WFD.
If you are unsuccessful following assessment for the position you have applied for, we may retain your details and proactively contact you should any further suitable vacancies arise.
If a conditional offer of employment is made, we will carry out checks that ensure the candidate’s eligibility to work and identity. We will also contact the referees provided to verify the dates and job titles as detailed in your application. In addition, we will require completed monitoring questionnaires and a criminal records declaration.
Once you have taken up employment with WFD, we will compile a file relating to your employment. The information contained in this will be kept within a secure location and will only be used for purposes directly relevant to your employment. We will also require your bank details, emergency contact details and – if relevant – details about your current civil service pension scheme.
We retain de-personalised statistical information about applicants to help inform our recruitment activities, but no individuals are identifiable from that data.
Your personal information may be shared with third parties as part of your employment with WFD, including but not limited to:
- Outsources payroll providers;
- Civil Service Pension Scheme providers;
- IT software providers for the purposes of sending electronic communications to staff, e.g., staff updates for Business continuity purposes, training information and surveys sent via app technology;
- training providers;
- internal and external auditors;
- contracted legal advisers.
Once employment with WFD has ended, we will retain the file in accordance with the requirements of our data retention policy, which is based on legal requirements.
When you use our online application system, People HR, a third-party data processor provides this online service for us. Once you click ‘apply now’ you will be taken to People HR website and they will hold the information you submit, allowing WFD access to it.
You will be asked for your personal details including name and contact details. You will also be asked about your previous experience, education, and referees and for answers to questions relevant to the role you have applied for. Our recruitment team will have access to this information.
You will also be asked to provide equal opportunities information. This is not mandatory information – if you do not provide it, it will not affect your application. This information will not be made available to any staff outside of our recruitment team, including hiring managers, in a way which can identify you. Any information you do provide will be used only to produce and monitor equal opportunities statistics.
All processing in relation to job applicants, current and former employees is processed under Article 6 (1) (c) of the GDPR.
Access to data and information held such as recruitment papers (written shortlisting and interview notes) will be made available to all candidates if requested.
6. Sharing your information with third parties
We will never sell your details. We will only share your details with third parties (who are not service providers working at our direction) as indicated in this policy or if you have consented or we have another legal basis to do so.
We may disclose your personal information if we are requested or required to do so by a regulator or law enforcement or in order to enforce or apply our rights (including in relation to our website or other applicable terms and conditions) or to protect WFD, for example in cases of suspected fraud or defamation, or in order to comply with any other applicable legal obligation.
7. Retaining your information
We will keep and delete your information according to our internal policies and will keep it no longer than reasonably necessary for the purposes for which we hold it, taking into account relevant legal and regulatory retention requirements (e.g., tax or health and safety requirements) and operational considerations.
8. Lawful grounds for processing your information
Wherever possible, WFD will make it clear to you at the point of collection the purpose of collecting the data. WFD currently processes personal data in accordance with the following legal provisions:
- the Data Protection Act 2018
- the Privacy and Electronic Communications (EC Directive) Regulations 2003
- General Data Protection Regulation (EU) 2016/679
Following the expiry of the transition period resulting from the Withdrawal Agreement between the UK and EU, from 1 January 2021, WFD will continue to process personal data in accordance with the UK GDPR.
Generally, our processing of your personal information as described in this policy is allowed by these laws based on one or more lawful grounds, including:
- Where you have provided your consent to us using your personal information in a certain way. For example, where an event participant agrees that WFD may take, hold, and publish a photograph of the event in which they are visible. We also may ask for your explicit consent if you share sensitive personal information with us.
- Where the processing is reasonably necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering a contract. For example, we may rely on this basis where you apply to work for us.
- Where the processing is reasonably necessary to comply with a legal obligation to which we are subject. For example, we may rely on this basis where we are obliged to share your personal information with a regulator or HMRC.
- Where the processing is reasonably necessary for the purpose of a legitimate interest pursued by us or a third party and your privacy rights do not override the legitimate interest. Our “legitimate interests” include pursuing the mission of WFD through our work to strengthen democracy around the world, communicating with you about WFD and its work (unless you have told us you do not want to hear from us), or sharing information with WFD’s existing or prospective donors. However, “legitimate interests” can also include your interests, such as when you have requested information from us, and those of third parties, such as our beneficiaries.
In any event, where we are relying on legitimate interests to process your personal information, we will consider any potential impact on you (positive or negative), your rights under data protection laws, and will not use your personal information for activities where the impact on you overrides the legitimate interests in the processing.
Where we process sensitive personal data, we will make sure that we only do so in accordance with one of the additional lawful grounds for processing that type of data, such as where we have your explicit consent or you have made that information manifestly public. Sensitive personal data may include your racial or ethnic origin, philosophical or religious beliefs, sexual preferences or practices, criminal record, membership of a political party, professional or trade association, biometric or genetic data, passwords, financial information, or health data.
9. Information Rights
Under Article 13 of the General Data Protection Regulation we are obliged to provide information about your rights in relation to the data collected. You are entitled to:
- Be informed about how we use your data, (which is outlined in this privacy notice).
- Know how long we will keep your data. This will be as required by law or where stated by our retention schedule.
- Be advised of our reason for processing the data.
- Be provided with a copy of the information held, if required (this is known as a Subject Access request).
- Have any information held corrected, if what we hold is wrong.
- Withdraw your consent at any time
- Ask us to no longer process your information.
- Have data erased if no longer relevant, if not subject to overriding law.
- Complain about how we use your data to the Information Commissioners Office in the UK.
- Object to automated decision making and profiling.
This policy was last updated on 3 September 2020.