Paul Hamlyn Foundation (PHF) takes your privacy seriously. We are committed to looking after your personal information, handling it in a responsible manner and securing it with industry standard administrative, technical and physical safeguards.
PHF follows two guiding principles when it comes to your privacy:
- Transparency. We work hard to be transparent about what personal information we collect and process.
- Simplicity. We strive to use easy-to-understand language to describe our privacy practices to help you make informed choices.
Paul Hamlyn Foundation (PHF) is registered as a data controller with the Information Commissioner’s Office (ICO) (registered number ZA132338). It is also a company registered in England and Wales (Company number 05042279), registered address 5-11 Leeke Street, London, WC1X 9HY and a registered charity (registration number 1102927). If you have any queries about this privacy notice or about any aspect of PHF’s data management please contact our data protection lead at firstname.lastname@example.org.
This Privacy Notice will be regularly updated to ensure that it continues to comply with the latest regulation and best practice. It was last updated on 10 October 2018.
How we use your information
Our privacy notice is a detailed guide to how we use your information. It sets out our approach to how we handle your personal information in the following areas. Please click on the links below to access information that is relevant to you and your relationship with us.
- Visitors to our websites
- Grant applicants, current and former grant recipients
- Award applicants, current and former award recipients
- Business contacts
- Research undertaken by PHF
- Members of the public who make enquiries
- Event delegates
- Visitors to PHF Offices
- Suppliers and others to whom we make payments
- Investment activity
- IT Management Systems
- Job applicants, current and former staff
- Mailing lists
- Social media
- Photographs and Videos
- Audit and Regulatory Requirements
Visitors to our website
When someone visits www.phf.org.uk we use a third party service, Google Analytics, to collect standard internet usage information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. As soon as this information is collected through Google Analytics, users’ IP addresses are made anonymous, and we will not make any attempt to find out the identities of those visiting our website. This data is retained for 26 months, after which time it is automatically deleted.
Our websites are hosted by Soapbox and their hosting provider is UK Dedicated. Apart from the analytical data captured by Google Tag Manager and Google Analytics, the website will also capture all requests made to the server to detect and prevent fraud and unauthorised access and to maintain server security. UK Dedicated does not store any information other than access and error logs and these details are kept for four weeks by default and then deleted.
When visitors leave comments on the blog area of our site, they are asked to provide their email address and name as well. This information along with the IP address is stored on the site for as long as the blog exists and is not shared. To host comments, our blog uses WordPress’s comment system.
Grant applicants, current and former grant recipients
Application and grant management
We will only ask for as much information as we need to effectively consider a grant application, to manage an award if you are successful and to monitor its progress. In submitting an application you are agreeing to us processing your data for these purposes and in the ways outlined in this section.
We may collect sensitive personal data for some grant schemes to enable us to monitor the diversity of our applicants and we sometimes use Survey Monkey. This data will be anonymised once it has been matched to the grant award or declination decision and the progress of the application logged. Where we fund individuals, we may also collect sensitive personal data (e.g. passport copies, birth certificates) in order to verify identity. Where this is the case we will destroy the data as soon as identity has been confirmed.
We use Blackbaud Grantmaking to store grant data (including the application module IGAM for application data). More information on Blackbaud Grantmaking Privacy Statement is available in Blackbaud’s privacy statement.
If your application is unsuccessful we will keep a record of your contact details for up to 10 years to enable us to maintain records of your application history should you apply again. We may hold notes on the assessment process for up to 6 months after an assessment decision.
We may use assessors, advisors, consultants, judges or working group members to assist us with the grant application and management process, including evaluation and research activities. These are often individuals and we will ensure a data processing agreement which meets the standards of GDPR is in place.
If your application is successful we will keep your data for the lifetime of the grant plus 10 years to enable us to meet any regulatory and reporting requirements, including HMRC investigations. In addition to application data, we will retain any personal data related to the administration or operation of the grant. After this time we will only retain the name of grant recipients and the amount awarded and some basic details of the grant made for archiving and research purposes.
Information regarding grants awarded is published on the Foundation’s website and in its annual accounts which are submitted to Companies House and the Charity Commission. We also publish grants data as part of 360 Giving. This will include the title and description of the grant, name of the recipient, date of the award, its duration and the amount awarded. We will not publish address details of individuals who are awarded grants except where these are also the registered addresses of organisations we fund. If you use a personal address for an organisation and do not wish us to publish this information you must inform us as the point of grant award. We may also include this information on grants awarded in presentations about the Foundation’s work.
We may share personal data about those we have funded with our media monitoring service Meltwater to enable us to collect information on the activity of grantees.
There may be times we share information with a third party organisation such as a charity or other funder who may contact us for a reference. Most information will be organisational and not personal, but at times personal data (for example the names of senior staff) may be included. This is a legitimate interest as it will improve funding to the sectors we fund.
Awards for Artists applicants, current and former award recipients
If you are nominated for application for an award under PHF ‘Awards for Artists’ scheme we will collect a range of personal data about you for the purposes of considering your application, including some sensitive personal data such as financial information. We may use Dropbox to collect this information. This data will be shared with the judges of the scheme who will be contracted to PHF as data processors with an agreement which meets the needs of GDPR. If you are unsuccessful, the majority of this data will be deleted within one year of the date of decision making and then destroyed. We will retain basic details of who was nominated to enable us to monitor nominations over the years.
If you are successful in being offered an award under our ‘Awards for Artists’ scheme we will retain personal data to enable us to manage and administer the schemes for the life of the award and up to 10 years subsequently. We will then hold basic details (including name, amount of the award, dates) on an ongoing basis for archive purposes.
To enable us to promote and communicate about the Awards for Artists scheme we will seek the permission of recipients to share personal data about them with media outlets. This will be retained for the life of the award and then retained for archive purposes.
Information regarding grants awarded under the Awards for Artists scheme is published on the Foundation’s website and in its annual accounts which are submitted to Companies House and the Charity Commission. We also publish grants data as part of 360 Giving. This will include the name of the recipient, date of the award, its duration and the amount awarded. We will not publish address details of individuals who are in receipt of an Award. We may include information on Awards recipients in presentations about the Foundation’s work.
We will invite sector experts to be nominees and/or judges for the Awards for Artists scheme and will retain their personal contact details to enable us to communicate with them about this. Judges who are contracted to participate as part of a decision making panel will be issued with contracts as data processors (see above).
We will retain details of all involved in the Awards for Artists Scheme, whether as applicants, nominees, nominators, judges or recipients to enable us to effectively run the scheme for as long as the scheme is in operation. Individuals can request their removal from our records by emailing email@example.com
Contractors including assessors, advisors, consultants, evaluators, speakers, judges, photographers, videographers and working group members
If we use contractors which could include assessors, advisors, consultants, researchers, evaluators, speakers, judges, photographers, videographers or working group members we will hold personal data of these individuals to enable us to contract with them and undertake the tasks for which they are contracted. We may share this data with participants in the task (e.g. research participants or grant applicants) if this is necessary for the purposes of the task to be undertaken.
We will store the contractual information for up to 6 years after the end of the piece of work undertaken to enable us to meet any legal or regulatory requirements. Contact details of assessors, advisors, consultants, judges or working group members will be held for up to 10 years to enable us to keep them informed of work at PHF.
If we have issued an invitation to tender, we will hold details of unsuccessful bidders for up to a year. We will hold data on those who have expressed an interest in working with us in the future for up to 5 years.
We may collect personal data from business contacts to enable us to undertake the legitimate activities of the Foundation. This data will be held for up to 10 years or for as long as the ongoing business relationship is in operation to enable us to contact you if necessary.
Research undertaken by PHF
From time to time, the Foundation may undertake research which will involve the collection of personal data. Where possible we will anonymise this data and we will only share it with third parties if we obtain your consent. We may use Survey Monkey for some of this research. Any identifiable personal data will be held for up to one year following completion of the project.
Members of the public who make enquiries
If you contact PHF with an enquiry we will store your details only for as long as necessary to enable us to respond to your enquiry and for up to 3 months after our response. This may be by telephone, email or written correspondence. If your enquiry is for pre-application advice we will hold your details for up to 18 months to ensure we have the data to refer to in the case of you making an application.
If you attend a PHF event we will hold relevant personal data in order to deliver this event. This may include sensitive personal data about personal circumstances or needs which may be shared with those who deliver aspects of the event (e.g. caterers).
All event attendees may be listed on the delegate list that may be shared with other delegates and event partners such as the venue or transport suppliers. In agreeing to attend the event you are confirming your agreement to us using your details in this way.
Data regarding event attendees may be stored on our Blackbaud Grantmaking grant management system from Blackbaud, you can find out more about this system here.
Data is also stored as electronic documents on the PHF servers, accessible by PHF employees.
We will only keep this data for as long as we need to deliver the event and up to 6 months after the event to enable us to complete any follow up administration.
We may well take photographs and record video at events, see details below.
Visitors to PHF Offices
If you visit PHF offices we will ask you to provide your personal details to enable us to keep track of attendees in the building. We will only hold this data for a maximum of one week and will not use it for any other purpose. We will however retain details about the numbers of visitors to our offices, for monitoring purposes.
Suppliers and others to whom we make payments
Investment fund administrators and other organisations we contract with are required by anti-money laundering (AML) legislation to verify the identity of their clients. Therefore, for AML purposes we are required to keep personal data about our trustees and directors. This data is reviewed every 6 months to ensure only accurate current copies are retained and out of date information is destroyed. However, PHF will retain copies of AML documentation sent to investment funds to verify identify for the lifetime of that investment where the AML documentation forms part of the contractual arrangement with that fund.
PHF will collect personal data of contacts at investment firms and banks as part of our dealings with them. This will be retained for the length of the contract and then deleted.
IT management systems
PHF uses a number of systems to manage its IT infrastructure. Personal data of users (normally only staff) is collected to enable us to manage and operate our systems and is logged in our accounts held on these systems. This includes:
- Global 4 – to manage our mobile devices
- SysAid – to manage our hardware portfolio
- Webroot – a security management package
- MyHubIntranet – an intranet system
- Filecloud – a remote access system
- Microsoft – to provide MS Office facilities
In addition, the Foundation contracts with London Computer Associates (LCA) to provide IT support. LCA have access to all PHF systems for the purposes of support and maintenance only and manages PHF’s backup and spam management systems. Their contract includes a data processing agreement which meets the standards of GDPR.
Job applicants, current and former staff
All of the information you provide during the job application process will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary.
We will not share any of the information you provide during the recruitment process with any third parties for marketing purposes or store any of your information outside of the European Economic Area. The information you provide will be held securely by us and/or our data processors whether the information is in electronic or physical format.
We will use the contact details you provide to us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you have applied for.
We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary.
The information we ask for is used to assess your suitability for employment. You don’t have to provide what we ask for but it might affect your application if you don’t. Information on the equal opportunities form will be treated in confidence and will not be seen by staff directly involved in the selection process. The questionnaire will be detached from the application form before the form is seen by those involved in selection, stored separately and used only to provide statistics for monitoring purposes after which point it will be destroyed.
If you are unsuccessful at any stage of the process, the information you have provided until that point will be retained for 6 months from the closure of the campaign.
Information generated throughout the assessment process, for example interview notes, is retained by us for 6 months following the closure of the campaign.
If you are successful, the information you provide during the application process will be retained by us as part of your employee file. This includes your criminal records declaration, fitness to work, records of any security checks and references. Your employment file will also contain all personal data related to your employment at the Foundation. This will be retained for the duration of your employment plus 6 years following the end of your employment. After that time we will retain basic details of your name, start and end date and job title only for archive purposes.
Personal contact details of employees will be shared with Foundation managers and trustees for the purposes of emergency contact in line with the Foundation’s Disaster Recovery Plan. Personal contact details of nominated emergency contacts for individual staff members will be held on employee files and will only be used in an emergency. These will be deleted within one month of the employee leaving the Foundation.
Data Processors and HR
We may use recruitment agencies to assist us with filling posts. Details of the Privacy Policies of the agencies will be available on their websites.
PHF uses PeopleHR to record staff information. Information on their Privacy Notice is available here
PHF contracts payroll management to Sage. Further information is available here
We use Barbican Financial Advisors to provide advice to staff on pension and insurance matters.
If you sign up to our newsletter we will retain your personal details to enable us to contact you. We also provide our newsletter to those that we hold legitimate business interests with (e.g. grantees, staff). You can unsubscribe at any time.
On a yearly basis, we will review the list and ask anyone who has not opened an edition of the newsletter over the past year if they would like to continue their subscription.
PHF uses a variety of social media platforms: Twitter, Facebook, LinkedIn, Instagram, Vimeo, YouTube and SoundCloud. We also use a third party provider Sprout Social to manage and measure our social media interactions on Twitter, Facebook and LinkedIn.
If you send us a private message via social media the message will be stored by Sprout Social for three months. It will not be shared with any other organisations.
Photographs and Videos
PHF will often use videos, which may be commissioned by us or submitted by those we work with, to illustrate the work of the Foundation and the projects we support and these may involve personal data which we collect as part of the legitimate activities of the Foundation. Videos may be stored on PHF systems or hosted on phf.org.uk and or via Vimeo or YouTube
Videos commissioned by the Foundation may be recorded and edited by external film makers and we will have a data processor agreement which meets the standards of GDPR in place. PHF will keep grantee videos for five years or for the length of the grant plus 2 years, whichever is longer.
From time to time we may showcase videos produced by third parties such as grantees or partners that we work with through our communications channels. In doing so, we will make every effort to ensure suitable permissions and compliance with GDPR are satisfied before use of video.
We may photograph events that PHF host or are involved in and we will inform participants that this is the case either by notice or specific forms. Participants have the right to withdraw their consent by following the instructions given.
We will also take photographs of staff – both headshots and at events. Staff will be asked to provide their consent to the use of these photographs.
We may use the photographs in PHF publications, social media, website or the press. Photographs will be stored on PHF systems and held for up to 5 years, or in the case of staff headshots until the person leaves PHF. If we commission an external photographer we will put a data processor agreement which meets the standards of GDPR in place and the photographer will be bound by the same photograph retention policy.
From time to time we may request images from those we work with to promote the work that we support through our communication channels. In accessing images we will make every effort to ensure suitable permissions and compliance with GDPR are satisfied before use of the images.
We may collect personal detail about grantees or other individuals involved in the work of the Foundation in order to produce publications about PHF’s work. We will obtain the consent of the individuals involved to their inclusion. The information that we include in PHF publications is shared through our website and other communications channels, including press releases and social media. In the process of preparing and disseminating publications, we may share information with a variety of third party processors. For example, graphic designers will often format and arrange printing of content. Proofreaders and / or consultants may be engaged to review work. In all cases we will ensure a data processor agreement is in place which meets the standards of GDPR. PHF will retain digital and hard copies of publications for 30 years in order to maintain an archive of the Foundation and our grantees’ work.
Audit and Regulatory Requirements
We may share any data about the operation of PHF with the Foundation’s auditors, BDO, the HMRC, the Charity Commission, the Information Commissioner’s Office, Companies House and other regulatory bodies should this be necessary to complete statutory audit and regulatory requirements.
Under the General Data Protection Regulation (GDPR) which came into force on 25 May 2018 you have rights as an individual data subject which you can exercise in relation to the information we hold about you. You can read more about these rights on the ICO’s website here.
Complaints and queries
PHF tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of PHF’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to our data protection lead at the address in the Introduction above.
If you want to make a complaint about the way we have processed your personal information, you can contact the ICO as the statutory body which oversees data protection law https://ico.org.uk/concerns.
Access to your personal information
PHF tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under GDPR. If we do hold information about you we will:
- give you a description of it;
- tell you why we are holding it;
- tell you who it could be disclosed to; and
- let you have a copy of the information in an intelligible form.
To make a request to PHF for any personal information we may hold you need to put the request in writing addressing it to our data protection lead and emailing firstname.lastname@example.org or writing to the address provided above.
If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.
If we do hold information about you, you can ask us to correct any mistakes by, once again, contacting the data protection lead.
Privacy notice changes