Legal notice

Registered owner

This website is owned and maintained by Eastside Community Trust, registered office: Easton Community Centre, Kilburn Street, Bristol BS5 6AW.

Contact details

Tel: 0117 9541 409
E-mail: contact@upourstreet.org.uk

VAT no: 983 0264 14

Registered charity no: 1081691

Companies House registered company no: 04023294

Privacy Notice

This notice explains how we collect data, how we use and store information and what it means for you. We welcome any feedback on our actions, please contact us on contact@upourstreet.org.uk

Who we are

Eastside Community Trust is registered as a charity, working to deliver communications and community development in the Easton and Lawrence Hill wards of Bristol. We are a charity registered in England and Wales (number 1081691) and a company limited by guarantee (number 4023294).

For the purposes of this Policy, ‘us’, ‘we’ and ‘our’ refer to Eastside Community Trust.

What information do we collect?

We collect personal information each time you deal with us. For example, when you sign up for our fortnightly ebulletin or attend one of our events. Our contact database also collects data on the mailings we send, such as how many people open the mailing or click on a link within the mailing. If you have received an Endowment Fund grant from us we record your personal information as part of funding requirements.

We collect and are given personal information during the production of our quarterly magazine, which is distributed online and in paper format, the magazine is produced as a community resource and as such of public interest.

Our website uses cookies for authentication, security, analysis and consent, they could also be used for personalisation such as remembering your preferred font size. You can read our website Privacy and Cookies Policy here. What do we do with it? We may use the personal data we collect to

● Provide news and information about what’s going on in our area.

● Conduct surveys to aid our understanding of the difference we make to our community and how we can improve it.

● Report on how effective our communications are by analysing click rates and opens of our ebulletin and mailings.

● Monitor Endowment Fund recipient information, used to inform our community of the work we have funded, we also report this information to the fund holder, Quartet Community Foundation. For individuals this information will be anonymised.

● Distribute our magazine online and in paper format to 13,500 households and businesses in the Easton and Lawrence Hill wards of Bristol.

● Send you a direct invitation to an event by post – unless you have told us not to.

● Contact you by telephone about a project or area of our work you are interested in – unless you have told us not to.

Basis of processing your data

We will only process your data when you have given us your consent, by joining our mailing lists to receive our fortnightly ebulletin and other news relevant to our area. You are free to change your preferences at any time by contacting us at contact@upourstreet.org.uk

We process Endowment Fund information as part of our legal obligation: We are required by law to keep various business and charity records. We will process personal data when necessary to comply with our legal obligations.

You can update, request access or object to us processing your data at any time by contacting us at contact@upourstreet.org.uk

How and where we store your information

How long

We will keep your personal information as long as you allow us to, we seek renewed consent annually in October and delete contacts without renewed consent annually in November. Endowment fund information is held for six years as part of our legal obligation. Our data protection policy implements this. If you have any questions about how long we keep your data, please contact us at contact@upourstreet.org.uk

Security

We have in place appropriate controls to protect any personal data you provide. Our computer systems use encryption products that require a password to boot and our mobile phones are all protected with password, PIN protection or fingerprint recognition. For more information please request to see our data security policy and measures.

We ensure that access to personal data is restricted only to employees and that suitable training is provided for these employees.

We may use external companies to process personal data on our behalf, we will only use companies that have secure processes for handling personal data. When we use these companies we remain responsible for the storing and processing of the personal data you give us.

Where we store your personal information

We use web-based Civi-CRM to store and process contact data, and to send out our ebulletin and other mailings, this Drupal based system is hosted by Circle Interactive within the UK. By submitting your personal data you agree to this transfer, storing and processing of your information. Endowment Fund data is stored on encrypted computers and only accessible by employees.

When we share your information

We do not share or swap your information with any other charities or organisations.

Third parties

We may employ or contract third parties to carry out tasks on our behalf. These third parties are bound by contract to protect your data and we remain responsible for their actions. We may provide third parties (such as funders) with general information about our residents, but this information is both aggregate and anonymous.

Your choices and telling us when things change

Preferences

You can change your preferences on what you receive from us or how we contact you, at any time. You can do so by e-mailing us at contact@upourstreet.org.uk or calling 0117 9541 409.

Updating your details

We appreciate it if your details are up to date. You can update us by e-mailing us at contact@upourstreet.org.uk or calling 0117 9541 409

Your rights

You have the right to be informed about how we process your personal data, the right to access your data and the right to have your personal data held by us rectified if it is inaccurate or incomplete. You may have the right to ask us to erase your personal data, to ask us to restrict our processing or to object to our processing of your personal data. You can make these requests at any time by emailing us at contact@upourstreet.org.ukor calling 0117 9541 409.

Reporting data breaches

Personal data breaches are reported to the Information Commissioners’ Office no later than 72 hours after us becoming aware of a breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.

A personal data breach means a breach of security leading to the destruction, loss, altering, unauthorised disclosure of or access to personal data. This is much wider than just data loss. All breaches must be documented. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, for example employees, data controllers must notify them directly.

For more information about your rights under GDPR you can visit the website of the Information Commissioner’s Office.

Tracy Parsons is the Data Controller for Easton and Lawrence Hill Neighbourhood Management and the trustees have responsibility for data protection within the organisation. They can be contacted at contact@upourstreet.org.uk or 0117 9541 409.

Data Protection Policy

 

Purpose
The purpose of this policy is to explain why and how Eastside Community Trust protects personal data it collects, holds and processes in order to comply with GDPR and the data protection principles.

Who does this policy apply to?
Eastside Community Trust is both the data controller and a data processor. This policy applies to both roles. The Controller says how and why personal data is processed (see data audit for more details).
The Processor acts on the controller’s behalf and has specific obligations and legal liability if there is a data breach.
Eastside Community Trust processes its data itself, and also uses third party processors who are not subject to this policy. However, Eastside Community Trust has to be satisfied that the third party processors have policies and procedures in place to meet their specific obligations and legal liabilities under GDPR.

Guiding principles
We use personal data in compliance with the 8 Data Protection Principles.
1. Personal data shall be processed fairly and lawfully
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing or personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Responsibility
The trustees of Eastside Community Trust have responsibility for GDPR compliance.
All trustees, volunteers and any freelance workers or employees will be trained in GDPR compliance.

Personal Data
Personal data is any information relating to an identifiable person who can be directly or indirectly identified by particular reference to an identifier. For example, Eastside Community Trust collects the names, addresses, e-mail addresses and telephone numbers, of its users to send relevant emails and a fortnightly ebulletin. We also collect the names, e-mail addresses and telephone numbers of our volunteers and employees. Data about our users is checked annually upon renewal for accuracy and amended as necessary and employees are asked to keep us updated should their personal details change.

Minors and consent
Minors need particular protection when collecting and processing their personal data because they may be less aware of the risks involved however we do not knowingly collect personal information from minors. Should this change or Eastside Community Trust becomes aware that it has personal data from minors, we will design specific privacy notices with this in mind.

Privacy Notice
This notice explains how we collect data, how we use and store information and what it means for individuals. This will be published on our website and a link sent out via e-mail to all new users, volunteers, referees and newsletter subscribers the first time they are in contact with us. It will be reviewed annually. It is found here.

Lawful basis for processing data
Eastside Community Trust regularly reviews its data audit and lawful basis. The document identifies what data is collected and processed, for what purpose and the lawful basis for such processing.
Where legitimate interests is relied upon as the lawful basis for processing data, a legitimate interest assessment is undertaken in line with ICO guidance and recorded.

Compliance with GDPR
Eastside Community Trust regularly reviews and updates its data register to ensure all processing is GDPR compliant. This register provides details on the personal data processed by Eastside Community Trust, why it is being processed, the categories of individuals and categories of personal data, the retention schedules. Security measures are found in our Data Security Policy.

Retention of data
Details of data retention, destruction and deletion are found in the data register.

Rights under GDPR
Individuals have the following rights under GDPR and can contact us at any time to make a request in line with any of these rights at contact@upourstreet.org.uk

● The right to be informed
We meet this right through our privacy notice which is published on our website and sent to all members, volunteers, referees, or third parties whose data we collect and process. This notice supplies information about how we process personal data which is free of charge, easily accessible and easy to understand. Our privacy notice contains the information which should be supplied to individuals. The privacy notice is reviewed annually.

● The right of access
Individuals can contact Eastside Community Trust at any time to obtain confirmation of how their data is being processed, access to their personal data and the other information required to be made available in our privacy notice. We give this information free of charge and within one month of receipt. We reserve the right to charge a ‘reasonable fee’ when a request is clearly excessive or repetitive, or individuals are asking for further copies of the same information.

We will verify the identity of the person making the request by asking security questions, before giving this information. For example, asking them for their full name and email address.

● The right to rectification
Individuals can contact Eastside Community Trust at any time to ask that their personal data be rectified if it is inaccurate or incomplete. We will complete this within one month of receipt of the request.

● The right to erasure
We will comply with any requests to erase personal data and stop processing in the following circumstances:
– Where the personal data is no longer necessary in relation to the purpose for
which it was originally collected/processed.
– When the individual withdraws consent.
– When the individual objects to the processing and there is no overriding
legitimate interest for continuing the processing.
– The personal data was unlawfully processed (i.e. otherwise in breach of the
GDPR).
– The personal data has to be erased in order to comply with a legal obligation.

● The right to restrict processing
Should an individual make such a request, we will follow the guidelines regarding when this right applies and the process to take found on the Information Commissioner’s Website

● The right to data portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.

● The right to object
In relation to Eastside Community Trust, individuals have the right to object to processing on the basis of legitimate interests or direct marketing (our ebulletin). We will stop processing data for direct marketing purposes (our ebulletin) as soon as we receive the objection. We will stop processing data on the basis of our legitimate interests unless there are reasons not allowed under the GDPR, which are found here.

● Rights in relation to automated decision making and profiling We do not use automated decision making or profiling.

Third parties
When we use third parties companies we remain responsible for the storing and processing of the personal data we give them.

When Eastside Community Trust contracts employees and freelance contractors to carry out tasks on its behalf, those workers are bound by contract to protect personal data and comply with all Eastside Community Trust data protections policies and security measures. Eastside Community Trust remains responsible for their actions.

Data breaches
A data breach occurs when there is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
For example, sending personal data to an incorrect recipient or disclosing personal data unnecessarily.

Security – measures taken to prevent data breaches
Eastside Community Trust puts in place and regularly reviews security measures to protect personal data.
These measures are contained within our Data Security Policy and also our Cyber Security Policy.

In the event of a data breach
The trustees are responsible for managing any data breaches or suspected data breaches.
Should any volunteer, employee or any other person suspect a data breach, the trustees should be notified as soon as possible. The trustees will then determine whether a breach has occurred and if so, decide what the next steps are.
1. Trustees decide if a data breach has occurred and record their decision in writing.
2. Trustees take measures to deal with the breach including mitigating any possible adverse effects and record these measures in writing.
3. Trustees establish the likelihood and severity of the resulting risk to people’s rights and freedoms, including adverse effects on the individuals such as emotional distress and physical and material damage and record their decision in writing.
4. If the data breach is likely to result in risks to those rights, then the ICO must be informed of the data breach with 72 hours of becoming aware of it or give reasons for the delay.
5. If there is a high risk to the rights and freedoms of individuals, then we will inform those concerned directly and as soon as possible.
Third party data processors (Civi-CRM) have a duty to inform us as soon as possible if they suffer a data breach. If this occurs, we will follow the above steps to assess our breachreporting obligations.

We will follow the guidance on taking all of these steps found on the Information Commissioner’s Website

Data Security Policy and Procedures

Easton and Lawrence Hill Neighbourhood Management takes very seriously its duty to safeguard and protect the personal data it collects and uses from its users, volunteers and employees. This is not only to comply with data protection legislation but to give confidence that it is a charity which is trustworthy. This policy outlines the types of personal data ELH NM holds and how we keep it
secure.

This policy should be read alongside the data protection policy, privacy notice and cyber security policy.

Personal data collected on paper forms.

Contact forms
Paper contact forms, containing signed consent to receive mailings, are entered into our Civi-CRM database on return to the office or as soon as possible after collected. Once entered into Civi-CRM, the paper form is securely shredded. These forms will not be left unattended in an empty car or unattended in any public place.

Event registers
Paper event registers, where used, may contain personal data and consent, this information will be recorded in Civi-CRM for monitoring, the register is scanned and save to an encrypted file to record consent, and the paper copy is then securely shredded. These forms are not to be left in an empty car or unattended in any public place.

Endowment Fund applications
Paper application forms are processed and held on file along with decisions, feedback and financial monitoring, and held on file in a locked cupboard. The files are retained for six years in line with reporting requirements. These files are not removed from the office.

Personnel paperwork
Paperwork gathered during the recruitment process for shortlisting and selection are held in a locked cupboard and retained for six months in the event that the successful applicant does not pass the probation period and the position becomes vacant. After six months the paperwork is securely shredded. Employee and volunteer (including trustee information) personal information is
stored in a locked cupboard, with access restricted to managers. Volunteer files are securely shredded one month after the volunteer becomes inactive. Employee files are securely shredded six years after the employee has left the organisation. These files are not removed from the office.

Personal data in magazine
Content may include personal data, this is often unsolicited information provided by small community groups and so may contain a contact method which would be considered personal data. In this instance the information has been explicitly provided by the data subject who has approved the content prior to publication. ELH NM will at no point use the publication to publish unchecked facts or personal data without consent.

Personal data stored on electronic servers
This data is accessed only by employees and is restricted by user permissions and is password protected. Inactive users are deleted within one month. No personal data is given to third parties.

Personnel data stored on electronic servers
Personal data gathered during the recruitment process to allow shortlisting and selection is held electronically and retained for six months, after which they are deleted. Employee data is accessed only by managers and is restricted by user permissions and are password protected. Inactive users are deleted within one month. Personal data is only shared with third parties in the performance of
a contract or where a legal obligation exists.

Legacy data stored on electronic servers
ELH NM is the legacy of a New Deal for Communities programme, Community at Heart. As some of the work is still relevant, we hold the legacy data electronically which could include some personal information. This information is encrypted on an external hard drive, access to which is restricted to managers only. ELH NM have removed has much personal information as it can, however the amount of data is too vast to physically check each file, therefore this data will only be held as long as it is relevant, and will be securely destroyed after 12 months of inactivity.

Personal data stored on Civi-CRM
Personal information provided on contact and registration forms are transferred to Civi-CRM if consent has been given. If consent has not been given, anonymous information in regards to attending an event may be entered. Personal data can also be added to Civi-CRM by the data subject by completing the ‘Join Up Our Street’ web form. ELH NM relies on Civi-CRMs’ security processes to keep this personal data secure. Only employees have access to Civi-CRM, which is password protected. Inactive users are removed immediately. Remote access to Civi-CRM should only be via a secure, password protected, private Wi-Fi connection. All laptops, remotely based computers and mobile devices used to access Civi-CRM should be password protected and not left unattended in empty cars or public places.

Cyber Security Policy

Like businesses, charities are increasingly reliant on IT and technology and are falling victim to a range of malicious cyber activity. Losing access to this technology, having funds stolen or suffering a data breach through a cyber-attack can be devastating, both financially and reputationally. This policy has been developed using guidance from The National Cyber Security Centre (NCSC) for small charities.

Backing up data
It is vital to prevent loss of data following flood, fire, physical damage or theft by regularly backing up data, this will also make Eastside Community Trust more resilient to cyber-crime.
– Eastside Community Trust stores all its files on a server, this is backed up on a daily basis.
– Backups are made to an external hard drive, which is removed from the office overnight.
– The Finance and Office Manager is generally responsible for this, but can delegate this responsibility to other members of the team in anticipation of being away from the office.
– Staff email accounts are stored in the cloud which means this data is physically separate from the Eastside Community Trust office.

Keeping smartphones and tablets safe
Smartphones and tablets which are used away from the safety of the office need more protection than desktop equipment.
– All mobile devices are pin or password protected.
– All mobile devices are configured so that if lost or stolen, can be tracked, remotely wiped or locked.
– All mobile devices are kept up to date using the ‘automatically update’ option.
– When sending sensitive data, staff do not connect to public Wi-Fi spots, using only 3g or 4g connections via the device.
– Devices that are no longer supported by the manufacturers are replaced with up to date alternatives.
– Only approved software is downloaded to mobile devices.

Preventing malware damage
Malicious software (also known as ‘malware’) is software or web content that can harm desktop equipment. The most well-known form of malware are viruses, which are selfcopying programs that infect legitimate software.
– Use antivirus software to protect electronic equipment from viruses
All of Eastside Community Trusts’ computers and laptops are protected by antivirus software, our IT support company administer the software to ensure it cannot be turned off.
– Restrict threats from software and downloads
Staff have restricted permissions which do not allow them to install or download software. Our IT support company and the Finance and Office Manager have administrative permission to install software where needed.
– Patch all software and firmware
The latest software updates are set to automatically update.
– Switch on firewall
Our antivirus software also includes firewall protection. Our server is also protected under a separate firewall with additional security.

Avoid phishing attacks
In phishing attacks, scammers send fake emails asking for sensitive information, such as bank details or containing links to bad websites
– Ensure staff don’t browse the web or check emails from an administrator user, this will reduce the impact of successful phishing attacks.
– Scan for malware and change passwords as soon as possible if you suspect a successful attack has occurred.
– Check for obvious signs of phishing, like poor spelling and grammar, or low quality versions of recognisable logos. Does the senders email look legitimate, or is it trying to mimic someone you know?

Using passwords to protect data
Passwords, when used correctly, are a free, easy and effective way to prevent unauthorised people from accessing your devices and data.
– All desktop computers and laptops use encryption products that require a password to boot. Switch on pin/password protection or fingerprint recognition on mobile phones.
– Use two factor authentication from important websites such as banking and email, if you’re given the option.
– Avoid using predictable passwords such as family or pet names, or the most common passwords that criminals can guess, like passw0rd. A strong password contains a combination of upper and lower case characters, numbers and symbols.
– Do not enforce regular password changes, they only need to be changed when you suspect a compromise.
– Change the manufacturers default passwords that devices are issued with, before they are distributed to staff.
– Provide secure storage so staff can write down passwords and keep them safe, but not with the device. Ensure staff can reset their own passwords easily.