Privacy
Last updated 12 August 2024
The Joseph Rowntree Foundation (JRF) is committed to protecting your privacy and being transparent about how we collect, use and safeguard your personal information.
JRF collects different information about people depending on the services or relationship we have with them.
JRF general privacy notice
Who are we?
The Joseph Rowntree Foundation (JRF) is an independent social change organisation working to support and speed up the transition to a more equitable and just future, free from poverty where people and planet can flourish. We are a company limited by guarantee (12132713) and a registered charity (Scotland: SC049712; England and Wales: 1184957). The address of our head office is: The Homestead, 40 Water End, York YO30 6WP.
How we use your information
We use your information to help us achieve our cause through our policy work, research, and campaigns.
We use your information to communicate with you if you apply for funding.
We use your information to perform a contract with you as one of our employees or suppliers.
We will only use your personal information for the purposes for which we collect it. In limited circumstances we may use your information for a purpose other than those set out in this policy. If we intend to do so, we will provide you with information relating to that other purpose before using it.
We may use your personal information for a new purpose if either this is compatible with the original purpose, we get your consent, or we have a clear obligation or function set out in law.
If you do not provide your personal information
If you do not provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as making payments without your bank information).
Legal framework and your rights
We use your information in line with the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018. We refer to these as “the Data Protection Laws”.
The Data Protection Laws require us to have a lawful basis for using your information.
The Data Protection Laws give you rights which you can use to manage your information to:
- request access (commonly known as a “data subject access request”) to the personal information we hold about you
- request correction of your information if you believe it is incomplete or inaccurate
- request erasure of your information where there is no good reason for us continuing to process it
- object to processing your information where we are relying on a legitimate interest (or those of a third-party) and you want to object to processing on this ground
- request the restriction of your information if you want us to check its accuracy
- request the transfer of your personal information to another party in a useful format
- withdraw consent if we are processing your personal data based on your consent at any time.
Some of these rights only apply in specific circumstances or to a limited extent. If you would like to exercise any of your rights or talk to us about how your data is processed, please contact our Data Protection Officer.
If you are not happy with the way we have handled your information you can complain to the Information Commissioner’s Office (ICO).
Do we use automated decision making?
We do not currently and do not anticipate using any automated decision making (computer only decisions with no human interaction) on your personal information. We will update this notice if this changes.
Security of your information
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, altered, disclosed, used or accessed in an unauthorised way. We limit access to your personal information to those employees, agents, contractors and other third parties who have a need to know.
Third-party processors will only process your personal information on our instructions and where they have agreed to treat the information securely and confidentially.
How long we keep your information
We retain your personal information for the duration of your relationship with us and then for a period defined by legal, accounting, or reporting requirements. Copies of our retention scheme are available on request.
In some circumstances, we anonymise your personal information so that it can no longer be associated with you. In such cases, we may use anonymised information without further notice to you.
The person responsible for how we look after your personal data is the Data Protection Officer.
You can contact them on:
ig@jrf.org.uk
01904 629 241
You can also contact the Data Protection Officer to request this privacy notice in another format, for example, large print.
You can read the privacy notices that relate to each specific area of JRF below:
Individual privacy notices
Last updated: March 2023
This privacy notice tells you what to expect as an applicant for a job or an employee regarding the personal information collected and processed by the Joseph Rowntree Foundation (JRF).
This privacy notice is applicable to all roles, including voluntary positions, and is equally applicable to temporary and bank staff as it is for those permanently employed.
Key points
- We process a significant amount of information about employees including special categories such as health and criminal records information.
- We respect the security of your data and treat it in accordance with the law.
- We take particular care of special category data such as health information.
- We collect and process different information as you progress through recruitment with us.
Types of personal information we collect
Recruitment
We process the following types of data about you:
- your name and contact details
- identity information such as your date of birth and gender
- your previous experience and education
- information about you on publicly available sources such as LinkedIn
- your referees
- answers to questions relevant to the role you have applied for
- notes from interviews.
Conditional offers
If we make a conditional offer of employment, we will ask you for information so that we can carry out pre-employment checks.
We are required to confirm the identity of our staff, their right to work in the UK and seek assurance as to their trustworthiness, integrity and reliability.
You will therefore be required to provide:
- proof of your identity
- proof of qualifications.
We will contact your referees, using the details you provide in your application, to obtain references and information on your trustworthiness, integrity and reliability. Your referees may be asked follow up questions on these areas if anything is unclear or uncertain.
Confirmed, unconditional offers of employment
We will process the following:
- comments, queries or concerns you have in relation to the offer being made and our response(s) to such correspondence
- bank details to process salary payments
- HMRC starter checklist to ensure you are placed on the right tax code and where applicable, capture any student loan data
- emergency contact details so we know who to contact in case you have an emergency at work.
Unsuccessful candidates
If you are unsuccessful following either shortlisting or interview/assessment for the position you have applied for, we will only keep the personal data you provided for the application process for a period not longer than 12 calendar months from when we last processed your application.
We may on occasion ask if you would like your details to be retained in our talent pool for the purposes of contacting you in the future, should other suitable vacancies arise. This would be for an initial period of 12 months after which we would contact you again to ask the same question. Should we receive no response to this request then your details will be removed.
Employee data
As your employer, we will need to keep and process additional information about you for employment purposes, including:
- your contract of employment and any amendments to it
- correspondence with or about you, for example letters to you about a pay rise or, at your request, a letter to your mortgage company confirming your salary
- information needed for payroll, benefits (which may include pensions) and expenses purposes
- your contact and emergency contact details
- records of holiday, sickness and other absences (including the reason(s) for such leave)
- records relating to your career history, such as training records, appraisals, other performance measures and, where appropriate, disciplinary and grievance records
- login details for computer systems used as part of your role with us
- information captured or recorded by CCTV, electronic card access, IT access logs, vehicle tracking, and dashcam footage
- your image for staff intranet and ID purposes
- comments, queries or concerns you have in relation to your employment and our response(s) to such matters
- your image for promotional work or bids.
Sources of personal information
We gather this information from:
- you (including your use of JRF systems)
- recruitment agents
- publicly available sources such as LinkedIn or social media
- your referees and previous employer
- the Disclosure and Barring Service (DBS)
- Occupational Health and other necessary sources.
How we use your special category data
You will be asked to provide equal opportunities information. This is not mandatory information. If you do not provide it, it will not affect your application or employment. This information will not be made available to any staff outside of our recruitment team, including hiring managers, in a way which can identify you. Any information you do provide will be used only to produce and monitor diversity statistics.
Dependent upon the role, we may contact you to complete a DBS application. You will be sent an electronic link to facilitate this in addition to providing original forms of ID (further ID information is provided at the time of offer). Your DBS ID will be retained on your staff file, and if you do not consent to your ID being retained you must notify us in writing.
We will ask you to complete a questionnaire about your health. This is to establish your fitness to work. The occupational health form may be shared with occupational health providers who may ask for access to your GP records.
Where necessary, we may process information relating to your health, which could include reasons for absence and GP reports and notes. We will use this for internal monitoring of sickness absence.
Dependent upon the role, we may ask you to provide evidence of your Covid-19 vaccination or exemption status.
You will be asked to complete a criminal records declaration to declare any unspent convictions.
Our lawful basis for using your information
In accordance with the Data Protection Laws, we need a lawful basis for collecting and using information about you. There are 6 different lawful bases and for the purposes of employment we use the following:
- using your information in this way is necessary for us to perform (or enter into) the employment contract between us
- using your information is necessary for us to comply with legal and regulatory obligations to which we are subject (such as DBS checks and meeting statutory requirements to make reasonable adjustments)
- using your information in accordance to our legitimate interests, or those of a third-party, and your interests and fundamental rights do not override those interests (such as keeping our sites and staff safe by using CCTV)
- you have given us your consent to use your information for a particular purpose (such as using your photograph for publicity).
Our lawful basis for using your special category data
Special categories of personal data (personal information that is sensitive in nature) require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. The additional lawful basis on which we rely in order to use your special categories of personal data which we collect about you are:
- it is necessary for your/our obligations and rights in the field of employment and social security and social protection law, such as to comply with our health and safety and occupational health obligations
- you have provided your explicit consent to our use of your information, such as your background checks, or use of your photograph
- it is necessary for reasons of substantial public interest
- it is necessary for preventive or occupational medicine, for the assessment of the working capacity of the employee, for example, to administer and manage statutory and company sick pay.
We may only use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations and provided we do so in line with our data protection policy.
Who we share your personal information with
We share your personal information with third parties where required by law, for example, to HMRC, the police, and other regulators such as the Charity Commission in the following circumstances:
- the prevention or detection of crime and fraud
- sharing in connection with legal proceedings
- the assessment or collection of tax or duty owed to customs and excise.
We may also share your personal information with:
- third-party service providers such as occupational health, the Disclosure and Barring Service, IT support, and CCTV processing
- advisors such as accountants, solicitors, and insurers
- organisations processing applications, requests, and enquiries on our behalf or at the request of a resident.
All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies.
We share the personal information of JRF Directors and of the 5 highest paid non-executive employees with the US Tax authorities for the purpose of maintaining our status as an exempt foreign private foundation, which minimises the tax withheld on income arising from our US investments.
We may also share data when managing any proposed restructuring, transfer or merging of any or all parts of our Trusts, including to respond to queries from the prospective merging organisation.
If you leave your employment with us
Should you leave our employment, we are required to keep any data that relates to PAYE (pay as you earn) for a period of 7 years after the end of the tax year from the date of leaving. A full list of retention dates of documents that may have been held on your staff file is available on request.
Last updated March 2023
This privacy notice tells you what to expect as a supplier or prospective supplier regarding the personal information collected and processed by the Joseph Rowntree Foundation (JRF).
Key points
- We use third-party service providers and some of your information will be shared with them.
- We respect the security of your data and treat it in accordance with the law.
- We may transfer your personal information outside the EU and, if we do, you can expect a similar degree of protection in respect of your personal information.
- This statement does not form part of any license agreement or other contract to provide services.
- We may update this statement at any time.
Types of personal information we collect
We collect the following types of data about you:
- your name and business contact details
- if you are self-employed, information about your tax status such as HMRC records of self-assessment and bank details.
Sources of your personal information
We gather sources of personal information from:
- you
- credit reference agencies
How we use your information
We use your information for:
- making a decision about procuring goods or services
- determining payment terms and making payments
- to prevent fraud
- managing any proposed restructuring, transfer or merging of any or all parts of our Trusts, including to respond to queries from the prospective merging organisation.
Our lawful basis for using your information
In accordance with the Data Protection Laws, we need a lawful basis for collecting and using information about you. There are 6 different lawful bases and for supplier personal information we use the following:
- it is necessary for us to perform or enter into the contract between us
- it is necessary for us to comply with legal and regulatory obligations to which we are subject
- it is necessary to our legitimate interest of running our charity effectively.
We may use your information for a purpose other than those set out in this policy but only where that complies with the Data Protection Laws.
Sharing your information
We share your personal information with third parties in the following circumstances:
- where required by law, for example, to HMRC, the police, or regulators such as the Charity Commission
- to third-party service providers (including contractors and designated agents) such as IT service providers, auditors, legal advisers, banks or other financial institutions to facilitate payments and contractors or prospective merging organisations who work on our systems.
All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies.
Last updated October 2023
This privacy notice tells you what to expect regarding the personal information collected and processed by the Joseph Rowntree Foundation (JRF) when applying for funding.
Types of personal information we collect
If you are applying to us for funding (either through an open call, limited tender or via a direct commission) we will ask for the following information:
- Name
- Job Title
- Work Address
- Telephone Number and email address
Sources of your personal information
We gather sources of personal information from:
- You
- from publicly available sources, such as your organisation’s website
How we use your information
If your proposal is successful we need this information to enter into a contract with you. We may also use the information for the purposes of internal audit, monitoring the fairness of trends in applications decisions and for statistical purposes.
Your data will be processed by our staff, who are all based in the UK. The data we process may be held internally on our own managed systems, externally on cloud based services or on the systems of partners who process information on our behalf.
We are committed to storing data securely wherever it is held, and ensuring it is only accessible to authorised personnel. Where data is stored on partner systems we expect them to adopt security practices aligned with our own.
How long we keep your information
Unsuccessful applications: We keep these for two months after the date the decision is notified to the applicant. This is in case of complaint or request for additional information on the decision. After this time all electronic documentation is deleted. Hard copies are destroyed via our confidential waste.
Successful applications: An electronic copy of the proposal documents is saved on our project management database (Customer Relationship Management) to the end of the project plus one year to allow for any dissemination activity. At the end of this time the documents are deleted from our system, along with any other documents generated during the term of the project.
The hard copy signed contract is retained for a period of 7 years for legal reasons.
Our lawful basis for using your information
In accordance with the Data Protection Laws, we need a lawful basis for collecting and using information about you.
There are six different lawful bases and for personal information and we use the following in connection with our funding practices:
- using your information in this way is necessary for us to our legitimate interests of furthering the aims and objectives of JRF’s mission
- we have your consent to do so
- using your information in this way is necessary for us to enter into a contract between you/your organisation and us.
Sharing your information
We may share your personal data with certain third parties. We may disclose limited personal data to a variety of recipients including:
- internal and external auditors
- when the JRF is legally required to do so (by a court, government body, law enforcement agency or other authority of competent jurisdiction), for example by the Charity Commission.
Last updated: August 2024
This privacy notice tells you what to expect when you register for one of our events, send us feedback or sign up to receive our newsletter and other updates.
It also applies to the people who have lived experience of poverty who agree to help us raise the profile of our cause as well as the people we contact because they have a specific interest in the areas covered by JRF’s policy work, research, and campaigns.
Types of personal information we collect
Events
We process the following types of data about you:
- your name, postal address, email address and telephone number
- organisation and job title
- dietary and accessibility requirements
- records of which of our events you have attended
Photography and filming is frequently used at our events. Notices will be placed at the event to inform delegates of photography and filming and you will advised on how to opt-out.
Mailing list subscribers
We process the following types of data about you:
- your name and email address
- organisation, location, and job title
- your specific subjects of interest and marketing preferences
- records of the links you click in the emails we send you
- information about your activities on our website and the device you use to access these, such as IP address and geographical region
Other stakeholders
We process the following types of data about you:
- your name and email address
- organisation and job title
- your area of expertise and your specific subjects of interest
Sources of your personal information
We gather sources of personal information from:
- you
- our websites
- from publicly available sources, such as your organisation’s website
How we use your information
We use your information for:
- providing you with the information you’ve requested
- contacting you to update you on our work where we share specific interests
- taking feedback to review and improve the work we do and services we provide to all our stakeholders
- to facilitate the event you have registered for
- promoting our cause
When you register for one of our events, we will use any special category information you give about your dietary or accessibility requirements to ensure these are met.
Our lawful basis for using your information
In accordance with the Data Protection Laws, we need a lawful basis for collecting and using information about you.
There are six different lawful bases and for stakeholder personal information we use the following:
- using your information in this way is necessary for us to our legitimate interests of furthering the aims and objectives of the JRF’s mission to end poverty in the UK
- we have your consent to do so
Sharing your information
We may share your personal information with both our event partners and event delegates.
If you have lived experience and have agreed to work with us to promote our cause we may use your information in case studies and stories that we publish or share with the media. We will seek to anonymise your information wherever possible and will only use your information for this purpose if you have given us your consent for us to do so.
This privacy notice must be read in conjunction with the participant information sheet made available to you. This contains details about the data we hope to collect about you and how it will be used.
We may collect and process the following data from you directly, or via our partners (subject to data sharing agreement as appropriate):
- Full name
- Phone number
- Email address
- Postal address
- Demographic information such age, sex or gender, and employment status
- Sensitive information such as racial or ethnic origin, political opinions, religious beliefs, or health-related data
- Your opinions and reported behaviours
- Photos you submit
- Recordings, transcripts and notes from interviews and group discussions
- Recordings and transcripts of you responding to specific questions or tasks
How your data are stored, used and deleted is detailed in the participant information sheet, including how we protect pieces of information that can be used directly or in combination to identify you.
Updates and changes to your information
We update our privacy statements from time to time and these will be reflected on the website.
Please contact us to update us with any changes to your information and preferences.