Privacy Notice (01 November 2019)
Who we are
The Royal Air Forces Association (“we” and / or “us) is a welfare charity, registered with the Charity Commission in England and Wales under charity number 226686 and with the Office of the Scottish Charity Regulator under charity number SC037673. We are registered as a data controller with the Information Commissioner’s Office (ICO). Our Data Protection (DP) Policy, together with its supporting Standard Operating Procedures (SOP), is designed to ensure that all activities conducted by the Association safeguard the confidentiality of personal information and comply with the provisions of Data Protection legislation, including the General Data Protection Regulation (EU) 2016/679. This Association Privacy Notice sets out how we will collect, use, share and protect your personal data.
We promise to respect the confidentiality of any personal data you share with us (or that we get from other organisations), to keep it safe and to always make every effort to protect your privacy.
We pride ourselves on our honesty and openness and will always be clear how, when and why we collect and process your information; we promise will never do anything with your details that you wouldn’t reasonably expect.
Developing a better understanding of our members and supporters is crucial, and your personal data allows us make better decisions, fundraise more efficiently and, ultimately, helps us to reach our goal of supporting the RAF family.
What information do we collect?
How much personal information we collect depends on our relationship with you. For example, if you are donating to us we will need to hold far fewer details on you than if you are asking us to assist you with a welfare issue, where we will need to know more about your personal circumstances. We will only ever capture the minimum amount of information that we need to and we promise to keep your information secure and only share with parties who need to know.
Personal information we may collect from you includes:
- Your name
- Your contact details
- Your date of birth
- Your bank or credit card details
- Details of the enquiry, service or product
- What action we have taken and, if we have passed this to anyone else, their details
- Your marketing preferences
- Records of your correspondence and engagement with us
- Survey responses
- Employer details and National Insurance number if you are a payroll donor
- Details of your relationship with us, our branches and subsidiary companies
- Details of your relationship to other supporters, where appropriate
- Details about your health, should you sign up take part in activities which may involve some risk or physical exertion
Information may be collected via:
- Any paper forms you complete
- Telephone conversations or face-to-face interviews
- Email correspondence
- Digital forms completed via our website or third party websites such as Just Giving
- Publicly available sources
- Communication via social media
If you visit our website or social media pages, we may automatically collect the following information:
- Which pages you visit
- The amount of time you spent on our website
- Whether you are a new visitor
- How you came to our website
- The type of device and browser you use
Our website may have links to other third party websites we do not operate. You should read the privacy notices on those websites before you submit your personal information.
We will let you know before collecting your data if it is part of a statutory or contractual requirement or obligation, and the possible consequences of not providing the information.
We store information from cookies anonymously to assist us in the running of our group websites, and for monitoring the activity and traffic both to and through our website using Google Analytics. You can opt out and find out more about Google Analytics by visiting http://tools.google.com/dlpage/gaoptout
You can restrict or block certain cookies through your browser settings. In your browser (for example, Google Chrome or Internet Explorer), click on the ‘help’ option to find out how to do change your cookie settings.
You can also visit www.aboutcookies.org.uk/managing-cookies which shows you how to do this on different browsers. You will also find details on how to delete cookies from your computer as well as more general information about cookies.
How do we use your information?
We believe that the individuals whose information we hold are fully aware of the nature of their relationship with us and the mutually beneficial reasons for remaining in contact.
The individuals whose details we hold fall into the following primary categories. They may be potential, current or past:
- RAFA Youth members
- Non-transactional supporters
- Individual corporate partnership contacts
Depending on the specific purpose, we may process your information on the following legal bases:
- With your consent
- To enter into or to perform a contract with you
- To protect your vital interests
- For our legitimate business interests or activities as a not-for-profit organisation
- To perform a task in the public interest
- For compliance with our legal or social protection obligations
We may use your personal information for the following purposes:
- To respond to enquiries about services, products, events or information you asked for
- To update you about the work of the Royal Air Forces Association, our branches and our subsidiary companies
- To communicate with you in your role as an area, regional, branch, RMG or club official
- To administer your membership and volunteering activity
- To administer your donation or support your fundraising, including processing Gift Aid
- To process any welfare requests including signposting and, in some cases (with your permission when required), sharing your details with other third-parties, agencies and authorities
- To send you information about appeals and fundraising activities – including requests for donations, information about how you can leave us a gift in your Will, how you can raise money on our behalf and attend or take part in a fundraising event
- To organise your attendance at other events
- To update your Telephone and Fundraising Preference Service preferences
- To manage our employees
- To respond to complaints
- To further our charitable aims
- As and when required by law
We follow an opt-in consent approach for all electronic marketing communications activity through email, text and phone. For postal marketing communications, we will use legitimate interest as the legal basis for activity and individuals will have the right to opt out of marketing communications. A combination of these two approaches is deemed the most appropriate in meeting the needs of the charity and the expectations of our beneficiaries, members and supporters.
Below is a non-exhaustive list of the regular marketing communications we undertake:
- To communicate with lapsed members regarding their membership subscription and to undertake research to improve our membership offering and services (such as Air Mail, membership card, welcome and renewal packs and satisfaction surveys).
- To encourage individuals to support the Association through joining as a member, making a donation or by giving their time to volunteer. These requests are made to individuals who have communicated, engaged or given to the Association financially within the past three years.
- To invite individuals to events, share updates on the impact of our work, promote content on social media or become advocates of our cause.
- To send proposals and updates to named individual business and corporate partnership contacts (using their business addresses only)
- To contact rafaYOUTH members aged 17 to invite them to become a member of the Association when they reach 18 years old.
- To provide information to visitors to our events on other opportunities to support the Association, if they have provided their personal information (e.g. as a result of buying a ticket for a paid-for event).
We also use an opt-in basis for some non-marketing communications, such as to contact beneficiaries to undertake research and evaluation to improve our welfare services. These request are made to individuals who have used the Association’s welfare services within the past five years
We may analyse the details you have provided to us along with further information we collect about you from public and/or private sources. If we do this we will make sure it is compliant with GDPR. We may make use of additional factors such as demographic, geographic and financial information and measures of wealth.
We do this to help us understand why people are motivated to support the RAF Association and to help us create a better picture and understanding of our members and supporters. This enables us to communicate more effectively, to identify and reach out to individuals who may wish to give additional support with a further monetary gift, or volunteer their time/services to support the RAF family.
We may use information that is already in the public domain to identify individuals who may be interested in supporting our work with a major gift. These publicly-available sources of information include Companies House, the electoral register, the phone book, the Charity Commission’s Register of Charities, Who’s Who, LinkedIn, company annual reports, newspaper articles and social media channels. In order to do this efficiently, we may use trusted third party specialist companies that collate and analyse information from public registers alongside statistical social-economic data to automate some of this work but this will only be done with your consent and using GDPR compliant suppliers. Under data protection legislation, you have the right to opt out of your personal data being processed in this way. If you wish to opt out of being identified as a high net worth individual, please email: firstname.lastname@example.org
We are also legally required to carry out checks on individuals who give us large donations, to comply with our duties in respect of anti-money laundering legislation and the prevention of fraud.
Social Media and Digital Advertising
Here is some more detail on what information we collect on and share with social media and other listed digital advertising channels and why:
We also use Facebook cookies to retarget supporters who have previously engaged with us through our website.
We may also use your email address and name details to identify new audiences on digital advertising channels. This helps us provide information, products and fundraising asks that we feel may be of use or interest to those audiences. This involves uploading your details to third party media organisations, including Facebook, Instagram, LinkedIn, YouTube, Google, Microsoft (formerly Bing) and Twitter, from which they identify “lookalike” cohorts. This upload is governed by terms and conditions restricting the processing and use of the data, which can be viewed on the respective media organisations’ website.
In order to prevent and detect crime, and to ensure the safety of our members and staff, we operate CCTV systems at our various locations. These cameras record footage in real-time and are operated and controlled by our own staff.
Recording Telephone Calls
We use a voice-telephony recording system to record calls to our contact centre and other telephone lines. The system is used for the following purposes:
- to provide clarification and confirmation of information given or received
- to enable quality monitoring of contact centre staff
- for staff training
Callers will be informed that their calls are being recorded for these purposes by a pre-recorded opening greeting message when they call the contact centre.
Data recorded by the telephone voice recording system will only be used for the purposes set out above. The data shall be held securely and accessed by authorised users only. Within the scope of usage described above, we may export data from the voice recorder. Exported data shall be stored in secure locations but be deleted within 12 months of capture.
Employees & volunteers
We will collect all personal information required to comply with employment legislation, including (where necessary) special category data. This may include medical information and, when appropriate, a criminal record search. To prevent discrimination and to ensure diversity, we request information from the employee or volunteer on religion, sexuality and ethnicity. Further information is provided through specific privacy policies for employees and volunteers.
How do we share your information?
We may share your information across the RAF Association and its subsidiary companies, all of which are separately registered with the ICO as data controllers. The sharing of data between us and each subsidiary is subject to a written data sharing agreement.
Branches: The majority of our members are members of one of our branches, which are separate charities within their own right and legally responsible for protecting your data whilst it is in their safekeeping. Our branches must comply with our Data Protection Policy and Standard Operating Procedures in relation to the membership data we share with them and we will only share your personal data with your branch. .
Suppliers and contractors: We may allow our suppliers to access and use your personal data to allow them to perform services on our behalf, such as payment processing and maintenance and support of our systems. In these circumstances we will not give these organisations any rights to use your personal information except to provide services to us and in accordance with our instructions.
Associated organisations: we may share anonymised data with other similar military charities to further our charitable aims. You cannot be identified from this data.
Agents: we may share anonymised data with agents to improve the quality of our services, for example analytics companies to measure the effectiveness of our marketing campaigns.
Police, government departments, local authorities, regulatory bodies etc: we will share personal data where there is a legal obligation to do so. In other circumstances, we may share it for the prevention and detection of crime
We will never sell your personal data to a third party.
How do we keep your information up to date?
We are committed to ensuring that we keep your information accurate, and up-to-date. We would appreciate it if you would let us know if your contact details change. Members can also update their details on our system themselves, by visiting www.rafa.org.uk/portal.
To assist us in this task we also use publicly available sources to keep your records up to date. Examples of such sources include the Post Office national change of address database and/or the public electoral roll, which help us to identify when you have changed address so that we can update our records and stay in touch. We only use sources where we are confident that you’ve been informed of how your information may be shared and used.
In some circumstances, particularly in relation to membership, we may use information from external sources where we are satisfied that the source of the information is valid. Where possible we will seek to confirm this with you.
We do this so we can continue to contact you appropriately. This activity also prevents us from having duplicate records and out of date preferences, so that we don’t contact you when you’ve asked us not to.
We’re committed to putting you in control of your data and you’re free at any time to update your contact details or preferences – just contact 0800 018 2361 or email email@example.com
How do we protect your information?
We ensure that there are appropriate physical, technical and organisational controls in place to protect your personal details. For example, paper records are locked away, our online forms are always encrypted and our network is protected and routinely monitored.
We undertake regular reviews of who has access to information that we hold to ensure that your information is only accessible by appropriately trained staff, volunteers and contractors. Where we use external companies to collect or process personal data on our behalf we do comprehensive checks on these companies before we work with them and put a contract in place that sets out our expectations and requirements, especially regarding how they manage the personal data they collect or have access to. We’ll only ever allow your data to be used temporarily by suppliers working on our behalf.
Your personal information will be hosted securely within the UK or the EU and will always be protected under the General Data Protection Regulation (GDPR). GDPR is EU legislation that has already been passed into UK Law so it will continue to apply after Brexit.
Some of our branches and suppliers run their operations outside the European Economic Area (EEA). Although they may not be subject to the same data protection laws as organisations based in the UK and/or the EU we will take steps to make sure they provide an adequate level of protection in accordance with GDPR and UK data protection law. By submitting your personal information to us you understand and agree to this transfer, storing and processing at a location outside the EEA.
How long do we hold your information?
We will retain your personal information for the period necessary to fulfil the purpose for which we collected it. Different types of information are held for different periods in accordance with our retention policy.
We will only keep your information for as long as we need it to assist you with your enquiry, process your membership or to assist with our volunteering, fundraising or welfare activities. In some cases there are statutory timescales on how long we are required to keep your information, for example, Gift Aid transactions must be retained for seven years. We shall delete your information according to these statutory limits, or according to official guidance.
You can opt-out to the creation of a user profile, Hotjar’s storing of data about your usage of our site and Hotjar’s use of tracking cookies on other websites by following this opt-out link.
For more information about the cookies we use, including third party cookies, please read our cookies policy.
What are your personal information rights?
Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.
Your right of access: You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process.
Your right to rectification: You have the right to ask us to correct information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.
Your right to erasure: You have the right to ask us to delete your personal information in certain circumstances.
Your right to restrict processing: You have the right to ask us to restrict the processing of your information in certain circumstances. This includes the right to object to profiling to automated decision making.
Your right to object to processing: You have the right to object to processing in some circumstances and this includes the right to object to us sending you direct marketing. If you no longer wish to receive marketing communications from the RAF Association, you can use these methods to let us know:
- Use the unsubscribe link at the bottom of our emails
- Use the STOP code and reply to stop receiving SMS messages
- By calling our Customer Care team on 0800 018 2361
- In writing to Customer Care, RAF Association, Atlas House, Wembley Road, Leicester, LE3 1UT
Your right to data portability: This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated.
You are not required to pay any charge for exercising your rights. We have one month to respond to you.
More information on any of these rights is available at https://ico.org.uk/your-data-matters/
Young people: We collect and manage information from under 18’s, and aim to manage this in a way which is appropriate to the age of the young person. Information is usually collected when under 18’s join rafaYOUTH or fundraise for us. Where possible and appropriate, we will seek consent from a parent or guardian before collecting information about minors. We ask the young person if an adult with parental responsibility can provide consent for us to hold/use the young person’s personal data but if this is not possible, we will make a professional judgement.
Special category data: To support you to the best of our ability, for example to assist with a housing enquiry, or assist with access to medical services or counselling, we will need additional information from you, which may include health information. This may come directly from you, or from a third party on your behalf, for example a family member or GP.
We will normally only hold, use and share this special category data with your explicit permission, although there may be reasons when we are required to do so by law, or to protect your vital interests. In that case we may process your information without your knowledge or consent – but this would be extremely rare.
Changes to this notice: From time to time, we may revise this notice. Updated versions will be posted on the website. If we make any significant changes, we will draw attention to them. This document was last updated in October 2019.
You can contact us at any time to update your details, change your communication preferences, opt out of any marketing, change your consent, object to processing, make a subject access request or make a complaint.
By phone: 0800 018 2361
By email: firstname.lastname@example.org
By post: FREEPOST The Royal Air Forces Association
Members’ Portal: Members can update their communication references at any time via the online members’ portal – https://www.rafa.org.uk/portal/
If you are unhappy with how we have processed your personal information, please contact the Data Protection Officer. Our Data Protection Officer is Vikki Hall, Director of Governance and Risk. You can contact her via email@example.com or our postal address. Please mark the envelope ‘Data Protection Officer’.
If you are still unhappy you many contact the following:
Information Commissioner’s Office
Cheshire, SK9 5AF
Helpline: 0303 123 1113 (local rate) or +44 1625 545 745