At First Story, we respect your privacy and are committed to protecting your personal data. This notice explains how we use personal data and cookies:
- in connection with our website at firststory.org.uk (including any related online or mobile service, the “site”); or
- when you take part in any writing workshop, competition, festival, event or other part of the First Story programme (collectively and individually, our “programme”), or
- when you (or your organisation) enter into (or propose to enter into) a contract or other arrangement with us (whether as an employee, independent contractor, volunteer, partner, supporter or donor or in any other capacity) in relation to our organisation and/or programme.
To understand how we may use your information and cookies, it is important that you read this notice – along with any other privacy notices we may provide on specific occasions when collecting personal information about you.
By continuing to use the site, or by providing us with your personal information (through the site, via the programme or otherwise), you acknowledge our use of your personal information and cookies, as described below.
- Important information
- Information we may collect about you
- How and why we may use your personal information
- Disclosure of your information
- International transfers
- Data security
- Data retention
- Your legal rights
B. Cookies Policy
C. Contact Us
D. Changes to this Privacy Notice
This section explains how we collect, process and look after any personal information that we collect about you.
1. Important Information
Our status as a data controller
We are responsible for protecting personal information that we collect about you, and we act as a data controller when we use such information. Your “personal information” or “personal data” means any information about you from which you can be identified.
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.
The site, and our other communications with you, may contain links to other online or mobile sites. We are not responsible and accept no liability for the privacy practices or content of such sites.
2. Information we may collect about you
We may collect personal information about you in connection with the site or our programme in the following circumstances:
- When you submit information to us – by filling out our contact form on the site, or by using our other contact details found on the site (including our email addresses, telephone numbers and postal address), or by speaking to our staff over the phone or in person. The information we collect may include:
- your name, address, email address, phone number and/or other contact details;
- your date of birth;
- the name of your school or organisation and/or your contact details there;
- your status as a parent or guardian of one of our students;
- where you are sending a job or training contract application to us, any personal information contained in your CV and/or application form (and any supplementary information submitted by you, or that we acquire about you during the recruitment process, e.g. from aptitude test results or from your referees); and/or
- any other personal information you choose to provide to us.
- When you use the site generally – when you browse the site, we may collect technical information such as your internet protocol (IP) address, operating system or browser software, and information about what you did during your use of the site (e.g. what pages you viewed). Please see section B below for further details.
- When you provide us with financial information – In order to process financial transactions made directly to First Story through our donation or standing-order forms, we will ask you for your bank or credit card details. When, however, you are using our secure online donation pages, you are going through to a partner company, and the information you give (such as your credit card number and contact information) is provided to them so that the transaction can take place, and in those instances we do not receive or retain your payment method details.
- When we receive your information from other sources – including from your school, a charitable giving organisation (e.g. Just Giving or Virgin Giving, where you have consented to their sending us your information) or from publicly available sources of information.
We seek to keep your personal information correct and up-to-date. Please let us know if you believe that any information we hold about you should be corrected or updated.
3. How and why we may use your personal information
However we use your personal data, we make sure that our use complies with lawful bases for using or otherwise processing your personal data. We may rely on one or more of those bases when we process your personal data, and we explain those below.
Information we collect about you through the site or when you contact us by other means
We may use such information for the following purposes and reasons:
- When you enquire about our activities, to contact you to discuss whether our activities may be of interest to you, and whether you would like to engage us in any way.
- Legal basis: consent to respond to your enquiry about our activities.
- Where appropriate, to respond to any other requests or queries that you may ask when you get in touch with us.
- Legal basis: your consent to our replying to you and, more generally, because it is also in our legitimate interests that we respond to you appropriately.
- Where you apply for a position with us, to assess your suitability for a job with us, and (where appropriate) to contact you in relation to those opportunities, and/or to inform any subsequent interviews, discussions or other aspect of our recruitment processes.
- Legal basis: we use your information in this way because it is a necessary part of our potentially entering an employment contract with you.
- If you consent to our doing so, so that we can contact you to let you know about our activities, events or newsletters (which you can opt out of at any time by contacting us).
- Legal basis: consent (unless withdrawn, in which case we will respect your withdrawal of consent).
- So that we can understand how people are using the site to help us improve the site’s accessibility and functionality.
- Legal basis: our legitimate interests (in making sure that our site operates effectively).
Information we collect about you in connection with our programme
- When we enter into a programme-related contract with you (or are preparing to do so).
- Legal basis: necessary for the performance of the contract that we have entered into with you (or are taking steps to enter into with you).
- For our internal programme-related administration and management procedures and/or any other purposes of delivering our programme.
- Legal basis: our legitimate interests in making sure that our programme-related operations are managed and run effectively.
- For our legal or regulatory compliance procedures in connection with our programme.
- Legal basis: necessary for compliance with a legal obligation.
- When conducting surveys of our programme (the responses to which we may cite in anonymised form in publications and funding applications).
- Legal basis: our legitimate interests in reviewing and improving the effectiveness of our programme.
- If we contact you to let you know about our activities, events or newsletters (which you can opt out of at any time by contacting us).
- Legal basis: our legitimate interests (in publicising our activities and staying in touch with our contacts, but if you opt out, we will respect your request).
Whether you deal with us via the site or our programme, please do not provide us with any personal information if you do not want that information to be used by us in the ways noted above.
Information from other sources
We may collect information about you through channels other than the site, a contract or form – for example, if you obtained our contact details from another source, if you met our staff in person, or if your details were provided to us by a third party (e.g. your school) who gave us your information in the context of our delivering our programme. If so, we will treat your personal information in accordance with this policy.
We do not generally seek to collect any “special categories” of personal data about you: that would include details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data. Nor do we seek to collect any information about criminal convictions and offences. We may collect aggregated data about race or ethnicity for the purposes of evaluating our programme, but in an anonymised manner.
To the extent that you provide us with any special categories of personal data about you (or any details of criminal convictions or offences), then we process that information with your explicit consent, which you give to us by providing that information to us, for (a) the purpose for which you have voluntarily provided such information and (b) any purpose that is reasonably compatible with such purpose. You may withdraw that consent at any time by contacting us. Please note that we might have other legal grounds for processing such special data, such as if those data have been manifestly made public by you, but we will not process such data without such a lawful reason.
The site is not intended for children under the age of 13, and we do not knowingly collect any personal data relating to any children under the age of 13 – unless in the course of an extension of our programme, in which case we may make special arrangements to do so by providing a specific privacy notice and we shall, where required, seek consent for processing from the child’s parent or legal guardian.
If you fail to provide data
Where we need to collect personal data by law, or under the terms of a contract that we have with you and you fail to provide that data when requested, we may not be able to perform the contract that we have or are trying to enter into with you. If so, we shall notify you if that is the case at the time.
Change of purpose
We shall only use your personal data for the purposes for which we collected the data, unless we reasonably consider that we need to use such data for another reason and that reason is compatible with the original purpose. If you would like to get an explanation of how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we shall notify you and we will explain the legal basis on which we intend to rely.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, if and to the extent that this is required or permitted by law.
4. Disclosure of your information
We may disclose your personal information collected via the site or in connection with our programme to certain third parties, but only in the following limited circumstances:
- where we use third-party service providers that process information on our behalf to help us fulfil our contractual obligations and operate our business (such as IT and communication service providers);
- where sharing is a necessary part of our programme activities and/or our contract with you;
- where you have contacted us in relation to a job position, in which case, as part of our recruitment process, we may contact third parties (including your referees, previous employers or educational establishments) to discuss the information that you have provided to us;
- where we are under a legal or regulatory obligation to disclose your personal information (e.g. to HMRC, regulators or other authorities);
- to our professional advisers, including bankers, accountants and insurers, who are usually based in the UK and provide their respective professional services to us;
- in anonymised form, to other organisations or individual supporters (e.g. funders and private donors) who are supportive of our aims and objectives;
- if our operations or assets are in the future transferred or merged to or with a third party, in which case such third party may use your personal information in a manner compatible with that set out in this policy; and/or
- to other third parties, if we have obtained your consent to do so.
5. International transfers
We may transfer your personal information outside the European Economic Area (EEA) where the transfer is necessary for (a) the performance of our contract with you (or for implementing pre-contractual measures taken at your request) or (b) the conclusion or performance of a contract concluded in your interest between us and a third party or (c) another lawful condition (such as the establishment, exercise or defence of legal claims).
We do not otherwise typically transfer your personal information to locations outside the EEA. To the extent that we do so, we will strive to ensure that a similar degree of protection is afforded to such information by ensuring that at least one of the following safeguards is implemented:
- transferring your personal information to a country, organisation or sector that has, at the time of transfer, been deemed to provide an adequate level of protection for personal information by the European Commission;
- using specific forms of contract approved by the European Commission that give personal information the same protection it has within Europe; and/or
- transferring information to a provider based in the US if such provider is part of the Privacy Shield, which requires it to provide similar protection to personal information shared between Europe and the US.
For further details of such safeguards, please see the European Commission’s website. Please contact us if you would like further information on any specific mechanism used by us when transferring your personal information outside the EEA.
6. Data security
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties that have an operational need to know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal information breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
7. Data retention
We will only retain your personal information for as long as necessary to fulfil the purposes for which we collected such information (or for any compatible purpose), including for the purposes of satisfying any legal, accounting or reporting requirements. In some circumstances you can ask us to delete your personal information: please see section 8 below.
If you have applied for work with us, then we will retain your personal information for the duration of the period in which we are considering your application. If you are successful in your application, then we will continue to retain your personal information for the duration of your employment or engagement, and following the end of your employment or engagement, in accordance with our document retention policy for former staff. If your application is not successful, or we do not have a suitable position available at that time, we will retain your personal information for up to 12 months and, with your permission, for longer so that we can let you know about other appropriate opportunities that may arise in the future (but you may contact us at any time to request that we delete your application and any personal information we are holding about you).
8. Your legal rights
Under certain circumstances, you have the following rights under data protection laws in relation to your personal information:
- right of access to your personal information;
- right to rectification of your personal information;
- right to erasure of your personal information;
- right to restriction of processing of your personal information;
- right to portability of your personal information;
- right to object to processing of your personal information;
- right not to be subject to automated decision-making (including profiling); and
- right to withdraw consent to processing of your personal information.
To find out more about these rights, please visit the ICO’s website.
If you wish to exercise any of those rights, please contact us.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). We may, however, charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in those circumstances.
We may need to request specific information from you to help us confirm your identity and to ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data are not disclosed to any person that has no right to receive such data. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we shall notify you and keep you updated.
B. Cookies Policy
This section explains how we use web analytics to help us monitor how the site is being used so that we may improve its functionality and accessibility to users.
1. About cookies
Cookies are widely used to allow websites to function efficiently. A cookie is a small file of letters and numbers that (depending on your browser settings) is deposited on your browser or the hard drive of your computer, mobile phone or other smart device (each, a “device”) when you visit an online or mobile site, if you agree. Cookies contain information that is transferred to your device’s hard drive. The cookie may be sent back to that site when you visit again, and may then be used by the server to identify and track your use of the site.
We do not currently use first-party cookies on the site.
2. Third-party cookies and web analytics
Our own policy does not cover any third-party online or mobile sites that are linked to the site. If you click through to those sites, they may set cookies on your device. To understand which cookies are used by those third parties and how they use your data, please read their privacy and cookies policies. We accept no responsibility or liability for those third-party sites.
The site uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics measures how users interact with our site content through the use of tracking cookies. As a user navigates between web pages, Google Analytics provides our site with tags to record information about the page a user has seen, such as the page URL, time and date of visit, length of visit, country of residence and language settings.
C. Contact Us
If you have any queries about this notice, including any requests to exercise your legal rights in relation to your personal data, then please contact us at:
Email address: firstname.lastname@example.org
Postal address: Data Protection Team, First Story Limited, Omnibus Business Centre, 39-41 North Road, London N7 9DP, United Kingdom
D. Changes to this Notice
We may at any time update or otherwise modify this notice. We will notify you of any changes to our notice by posting the modified notice on the site. This version was last modified on the date noted below.
Last modified: 6 February 2019