PURPOSE AND BACKGROUND

The Unicorn Centre holds information about riders, volunteers, Supported Volunteers and other people involved with our activities. The Unicorn Centre has a responsibility to look after this information properly, and to comply with the Data Protection Act.  The UK Act has been replaced by the EU General Data Protection Regulation (GDPR) on 25 May 2018. It is likely that the GDPR will continue to form the basis of our Data Protection legislation, even though the UK has left the EU, so it is fully taken into account in this policy.
Good Data Protection practice is not just a matter of legal compliance and ticking the boxes. Data Protection is about taking care of people and respecting their privacy. Poor practice or a serious breach could not only harm individuals but would also have a serious effect on the reputation of our group and RDA as a whole.

SCOPE

This policy applies to information relating to identifiable individuals which is held by the Unicorn Centre. It also applies when visiting our official website or using any of our on-line services.

WHEN USING OUR WEBSITE

We recognise that on-line privacy is an important issue, so we design and operate our services with the protection of your privacy in mind. This also applies when using our website for making a purchase or donation, subscribing to our mailing list, or when using any forms provided on our website.

OUR COOKIE POLICY

All requests to our website start a session which stores the IP address in the session data and creates a session cookie in the user's browser. The IP address is used as a security measure to help protect against potential session hijacking attacks and this information is deleted once the session has expired and its data purged. The session cookie's name is based on a randomly generated hash and therefore does not have a constant identifier. The session cookie is destroyed once the session has expired or the user has exited their browser. 

When using the ecommerce (shopping cart) functionality of the website to make any form of purchase, a cookie is used only to store the contents of your shopping cart. This is required for our website to function correctly. The cookies used on our website are classed as ‘Strictly Necessary Cookies Only’.

WEBSITE ECOMMERCE


We do not gather or store any payment information such as credit card details on our website. All payment transactions made on our website are processed by the secure on-line payment gateway provided by PayPal (PayPal Checkout). This means all sensitive payment information is processed and stored by them. All PCI-DSS legal requirements are met by the PayPal service in this regard.

OUR LEGAL BASIS FOR USING PEOPLE’S DATA

Everything we do with records about individuals – obtaining the information, storing it, using it, sharing it, even deleting it – will have an acceptable legal basis. There are six of these:

• Consent from the individual (or someone authorised to consent on their behalf).
• Where it is necessary in connection with a contract between our group and the individual.
• Where it is necessary because of a legal obligation – if the law says you must, you must.
• Where it is necessary in an emergency, to protect an individual’s ‘vital interests’.
• Where it involves the exercise of a public function – i.e. most activities of most government, local government and other public bodies.
• Where it is necessary in our legitimate interests, as long as these are not outweighed by the interests of the individual.

Where we are basing our processing on consent we will be able to ‘demonstrate’ that we hold consent. This means having a record of who gave consent, when they gave it, how they gave it (e.g. on the website, on a

form, verbally) and what they actually consented to. 

In the case of legitimate interests we will do a balancing test, and be confident that our legitimate interests in using the data in a particular way – for example in providing our services or raising funds to support them – are not over-ridden by the interests of the individual.

A copy of our Privacy Notice, which will be supplied to all Centre users, is attached as Appendix 1.

There are additional considerations where we are holding information about people’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and also genetic data or biometric data, health data or data concerning their sex life or sexual orientation. We will legitimise the use of any of these categories of data by having the individual’s explicit consent.

DATA PROTECTION PRINCIPLES

Data Protection compliance is based largely on a set of Principles.

The six GDPR Principles say that:

1. Whatever you do with people’s information has to be fair and legal. This includes making sure that they know what you are doing with the information about them.
2. When you obtain information you must be clear why you are obtaining it, and must then use it only for the original purpose(s).
3. You must hold the right information for your purposes: it must be adequate, relevant and limited to what is necessary.
4. Your information must be accurate and, where necessary, up to date.
5. You must not hold information longer than necessary.
6. You must have appropriate security to prevent your information being lost, damaged, or getting into the wrong hands.

Our policy sections below reflect each of these principles in a bit more detail.

TRANSPARENCY AND PURPOSES (FIRST AND SECOND PRINCIPLES)

We will make key information available to people at the time we collect information from them. This includes:

• the identity and contact details of the Unicorn Centre and the persons who are responsible for Data Protection;
• the purposes we intend to use the data for and our ‘legal basis’ for this (see above);
• what we regard as our ‘legitimate interests’, if this is our basis for processing;
• any specific recipients of the data (e.g. RDA UK) or categories of recipients.

Other information will be made available where relevant.  This includes:

• the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
• details of the individual’s rights, such as to request a copy of all the data held;
• the right to withdraw consent if that is the legal basis for processing (but not retrospectively);
• whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data.

In both cases, we will only tell people things they won’t already know.  When riders, volunteers, Supported Volunteers and other people join the Unicorn Centre they know that we will keep a record about them and their activities with us.  We will therefore tell them anything that may not be entirely obvious to them. This could include things like:

• The fact that RDA nationally, is a separate organisation and that limited data may be passed to RDA. We will reassure people that their data is anonymous when analysed on Tracker by RDA.
• Any direct marketing that we may want to carry out (see below), or any additional purpose(s) that we might use the data for – publicity, perhaps.  (‘Data’ can include photos, videos, CCTV, audio recordings, etc, not just written records.)

DIRECT MARKETING

One explicit right that people have is to stop us sending them marketing material (by post, phone, email or text) if they don’t want it.

When we collect information from people that might be used for marketing we will say so at the time and ask them if they are happy to hear from us. The wording will be along the lines of: “We would like to keep you up to date with information about opportunities and events within the Unicorn Centre and RDA nationally, and how you can support us. Please tick here to indicate which method(s) you are happy for us to use: Mail □, Phone □, Email □, Text □”.

These rules are only for marketing. They do not stop us from contacting people in whatever is the most convenient way to give them information about things they have already signed up to, or for other administrative purposes.

DATA QUALITY, RECORD KEEPING AND RETENTION (THIRD, FOURTH AND FIFTH PRINCIPLES)

Our activities will be more effective and appropriate if we have good quality records about the people we are working for and with. GDPR insists on this. We will ensure we have the information we need, but no more (it must be adequate, relevant and limited to what is necessary) and it will be as accurate as we can make it and, where necessary, kept as up to date as possible. We will not keep it longer than necessary.

We will remind our staff, volunteers and Supported Volunteers that the individual concerned has the right to see all the information recorded about them by the group. While Data Protection concerns should never prevent us from recording the information we believe we need (especially in cases relating to safeguarding or other serious misbehaviour), being over-casual, rude or injudicious in an email could easily cause a major crisis for the Unicorn Centre, and even the wider RDA nationally. This can be a useful discipline in deciding what to record and how to record it.

The Unicorn Centre will also have a clear policy on how long to keep information. We will draw up a retention schedule, taking each type of record we hold and specifying how long we normally keep it, and our justification for this. We will set up a process for ensuring that data is deleted or destroyed routinely at the appropriate time.

SECURITY (SIXTH PRINCIPLE)

We will take good care of the information we hold, whether on computer or on paper, and make sure that we have provided guidance and training to our staff and volunteers so that they treat the information appropriately.

In particular we will think about the risks when data is ‘in transit’ – either on portable devices or when it is being sent out.  For example:

• If people are using their personal phone, laptop, camera or other device for the Unicorn Centre’s purposes there will be clear expectations of how they should be secured.
• When sending information, particularly by email, we will take steps to prevent confidential information being sent to the wrong person.  For example, by using password-protected documents and sending the password in a separate email.
• We will also take care not to disclose people’s email addresses or other information inappropriately by carelessly copying in a large number of people or forwarding an email that has been copied widely.  [Mass recipient emails will list recipients using BCC, not To or CC.]
• Information on paper will not be left lying around, and will only be taken out of a secure location when this is really necessary.
• Where information is processed for us externally (for example by RDA UK) we will expect the external organisation to be able to give us satisfactory guarantees about the security measures they take.

RESPONSIBILITIES

Responsibility for compliance with Data Protection lies with the organisation, not with any specific individual. The Trustees as a whole body will be responsible to keep up to date with any developments, to check that we are complying and have the evidence to prove it, to give advice to staff, volunteers and learners to handle any issues such as a data breach or a Subject Access Request. The Trustees may designate someone to be the lead person. 

We will notify RDA National Office in the event of a serious issue, eg a data breach, along with other appropriate bodies where necessary.

When we work in collaboration with other organisations, we will sort out clearly (and in writing) who is responsible for what, in order that there are no Data Protection gaps.

If we engage external suppliers to handle data for us in any way, our contract will set out their responsibilities to handle data in a way that will not cause us to be in breach.

Appendix 1 Refers
Approved by the Board of Trustees on 16 December 2024.
REVIEWS  (As needed or annually)

 

APPENDIX 1     
PRIVACY NOTICE

What information do we collect about you?
We collect information about you when you complete relevant forms for us, including the rider, volunteer and learner application forms, as well as competition entry forms.

How will we use the information about you?
We will use the information about you to administer the Unicorn Centre’s ride schedules. We may pass the information about you to Riding for the Disabled Association incorporating Carriage Driving (RDA), the national body, and other appropriate governing bodies

Limited, anonymised information may be passed to RDA for analysis.  We will not disclose any information about you to any company other than noted above, or if required to do so by law.

Marketing
We would like to send you newsletters and other information about how you can support the Unicorn Centre. If you have consented to receive marketing, you may opt out at a later date. You have a right at any time to stop us from contacting you for marketing purposes.

Access to your information and correction
You have the right to request a copy of the information that we hold about you.

We want to make sure that your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate.

Retention of data
Once you are no longer involved with the Unicorn Centre, we will securely retain your data for 3 years for adults and 3 years after a child reaches the age of 18.

How to contact us
If you have any questions about our privacy policy or information we hold about you, please contact us at: 

Data Enquiries
Unicorn Centre
Stainton Way
Hemlington
Middlesbrough
TS8 9LX
Email: enquiries@rdaunicorncentre.co.uk