Volunteer privacy notice

Processing your personal data

What categories of personal data does the British Red Cross Society ("British Red Cross") collect about me and why?

"Personal data" means any information relating to you.  During the application process, the British Red Cross will collect, process and use your personal data, for a range of different purposes. For example:

What personal data?


  • Identification - your name and volunteer ID
  • Contact details
  • Next of Kin details
  • British Red Cross organisational data including IDs for IT systems
  • Working time data - including time recording systems data
  • CCTV images, telephone, email and the British Red Cross internet usage records
  • Travel data such as journeys made for volunteering purposes including overseas travel, train journeys, and car journeys.

Why?


  • To operate our IT systems and keep them secure
  • To manage our workforce
  • To comply with the law
  • To ensure you are complying with applicable British Red Cross policies and procedures
  • To communicate with you and with the British Red Cross volunteers and third parties
  • To comply with our financial and regulatory obligations
  • To better understand our people and the way they interact with us, whether they are staff, volunteers, supporters, or service users.

It's important to know that the British Red Cross may also need to process sensitive personal data about you such as health and medical data, criminal records data, and race or ethnicity data.

Arrow icon Read the detailed Volunteer Privacy Notice

Who might the British Red Cross share my personal data with, and what happens if it's transferred out of the UK?

We might also need to transfer your data to other third parties - e.g. potential business partners, acquiring entities, suppliers, customers, or government bodies. Our policy is to limit who has access to that data as much as we can. If we need to transfer data out of your jurisdiction, the British Red Cross will take all necessary measures to ensure your data is adequately protected.

Arrow icon Find out who your data is shared with


How long will the British Red Cross keep my personal data for?

We won't keep it for any longer than we need to. We will keep it to either to comply with the law or to ensure that we are complying with our obligations to you and other third parties. 

Arrow icon How long will the British Red Cross keep my data for?


What rights do I have in respect of my personal data?

You have a number of rights in relation to your data. These include a right to access, correct and erase your data as well as more technical rights to restrict the way we process it, and to transfer your data.

Arrow icon Read about your rights in more detail

 

Who can I contact if I have questions?

If you have concerns or questions regarding your personal data, please contact: Please contact the Information Governance Team:

Emaildataprotection@redcross.org.uk

Phone0344 871 1111

Post: British Red Cross, 44 Moorfields, London, EC2Y 9AL

British Red Cross Society Volunteer Privacy Notice

British Red Cross Society, of 44 Moorfields, London, EC2Y 9AL ("British Red Cross") has prepared this Volunteer Privacy Notice ("Notice") to be provided to its Volunteers. In connection with your role as a volunteer, we have to process your personal data.

We think that it is very important that you understand how we use your personal data, and we take our obligations in this regard very seriously. The purpose of this Notice is therefore to give you information about how the British Red Cross collects, processes, stores and otherwise uses information about you, and your rights in relation to that information.

The British Red Cross needs to process your personal data in order to enter into a volunteering mutual agreement with you as well as meet its business and operational needs. If we are not able to carry out the processing activities we describe in this Notice we may not be able to work with you as a volunteer. Of course, we hope it would never come to that, and this is simply information we are required by law to provide to you as part of this Notice.

In certain limited circumstances we may need to ask for your specific consent to process your personal data in a particular way.

Where we do so, you will be entitled to withdraw your consent at any time by contacting us as set out at the end of this Notice. However, in most cases we will process your personal data for the reasons set out in this Notice and it won't be appropriate or necessary for you to provide consent.

In this Notice you will see reference to "GDPR" - that refers to the European Union General Data Protection Regulation which is a European law governing your rights in relation to your personal data, and how organisations should protect it. This law has been enacted in the UK by the Data Protection Act 2018.


Index

To help you find information quickly on any particular question you might have, we have set out an index.


Arrow icon What categories of personal data does the British Red Cross collect about me?

Arrow icon Who might the British Red Cross share my personal data with?

Arrow icon How long will the British Red Cross keep my data for?

Arrow icon What rights do I have in respect of my personal information?

Arrow icon Who can I contact about this stuff?


What categories of data does the British Red Cross collect about me?

"Personal data" means any information relating to you. The British Red Cross will collect, process and use the following categories and types of personal data about you:

  • Identification data, such as your name, signature, Volunteer ID, your photo (if voluntarily provided by you), background check information, CV, application form, drivers' licence information, bank details (in order to repay expenses)
  • Personal information, such as your date and place of birth, emergency contact details, next of kin details, gender
  • Contact details, such as your home address, telephone number and email address
  • Information about your role, such as the team you volunteer for and the activities you carry out
  • Grievance and disciplinary information, such as information about disciplinary allegations (including service user or supporter complaints), the disciplinary process and any disciplinary warnings, details of grievances and any outcome
  • Time and systems / buildings access monitoring information, such as CCTV images, swipe card access, time recording software, internet, email and telephone usage data
  • Organisational data including IDs for IT systems, company details, cost centre allocations, and organisations
  • Travel data such as journeys made for work purposes including overseas travel, train journeys, and car journeys.

together "Volunteer Data".

In addition to the collection, processing and use of the Volunteer Data, the British Red Cross collects, processes and uses the following special categories of personal information about you which we describe as "Sensitive Volunteer Data":

 

  • Health and medical data, such as information on sickness absence for the purposes of rota planning, information on work-related accidents for purposes of insurance compensation, work safety and compliance with legal obligations (such as reporting obligations) and information on disability for purposes of accommodating in the work place
  • Criminal records data, in the event that the British Red Cross has conducted or received the results of criminal records background checks in relation to you, where relevant and appropriate to your role
  • Race or ethnicity or nationality data such as information which you have voluntarily provided to the British Red Cross for the purposes of our equal opportunities and diversity monitoring and initiatives
  • Sexual life data such as gender, sexual orientation, marital status where this has been provided voluntarily to the British Red Cross for the purposes of our equal opportunities and diversity monitoring and initiatives
  • Religion where this has been provided voluntarily to the British Red Cross for the purposes of our equal opportunities and diversity monitoring and initiatives.

 

Why does the British Red Cross need to collect, process and use my Volunteer Data and Sensitive Volunteer Data and what is the legal basis for doing so?

We collect and use Volunteer Data and Sensitive Volunteer Data for a variety of reasons linked to your volunteering with us. To help clarify these we have set out below a list of reasons why we collect and use this data (the "Processing Purposes"). However, we can only collect and use this data if we have a valid legal basis for doing so, and we are required to explain the various legal bases that we rely on to you.

To give you the full picture, we have set out each of the reasons why we collect and use Volunteer Data, i.e. the Processing Purposes, and mapped these against the different legal bases that allow us to do so. We appreciate that this is quite a lot of information to take in, so please bear with us.

Processing purposes

1. Administering our workforce and managing the volunteering relationship including managing volunteering activities, repayment of expenses, tracking volunteering hours, producing and maintaining corporate organisation charts, entity and intra-entity staffing and team management, managing and monitoring business travel, carrying out workforce analysis, providing references, and administering ethics and compliance training which involves the processing of identification data, contact details, information about your role, and organisational data.

Legal bases

  • Legitimate interests of the British Red Cross
  • Compliance with legal obligations which the British Red Cross is subject to
  • Necessary for performing a contract with you as the data subject.

2. Providing IT systems and support to enable you and others to perform their work, to enable our business to operate, and to enable us to identify and resolve issues in our IT systems, and to keep our systems secure which involves processing almost all categories of Volunteer Data.

  • Necessary for performing a contract with you as data subject
  • Legitimate interests of the British Red Cross; and
  • Compliance with legal obligations which the British Red Cross is subject to in relation to data protection law.

3. Complying with applicable laws and regulatory requirements along with the administration of those requirements, such as health and safety, and data protection laws, which involve the processing of identification data, contact details, information about your role and organisational data - including in response to requests from you for the exercise of your rights as a data subject.

  • Compliance with legal obligations which the British Red Cross is subject to, particularly in relation to tax law, employment law, data protection law, social security law and immigration law; and
  • Legitimate interests of the British Red Cross.

4. Monitoring and ensuring compliance with applicable policies and procedures and laws, including conducting internal investigations or cooperating with external investigations, which involves the processing of identification data, contact details, information about your role and organisational data.

  • Legitimate interests of the British Red Cross

5. Communicating with you, the British Red Cross volunteers and third parties (such as existing or potential business partners, suppliers, customers, end-customers or government officials), which involves the processing of identification data, contact details, information about your role and organisational data;

 

  • Necessary for performing a contract with you as data subject
  • Legitimate interests of the British Red Cross; and
  • Compliance with legal obligations which the British Red Cross is subject to.

6. Communicating with your designated contacts in the case of an emergency which involves the processing of contact details, information about your role and organisational data.

  • Necessary to protect your vital interests as data subject; and
  • Legitimate interests of the British Red Cross.

7. Responding to and complying with requests and legal demands from regulators or other authorities in or outside of your home country which involves the processing of identification data, contact details, information about your role, and organisational data;

  • Compliance with legal obligations which the British Red Cross is subject to; and
  • Legitimate interests of the British Red Cross.

8. Complying with corporate financial and regulatory responsibilities, including audit requirements (both internal and external) and cost/budgeting analysis and control which involves the processing of identification data, contact details, information about your role, and organisational data.



Below are the Processing Purposes and corresponding Legal Bases for Sensitive Volunteer Data:

Processing purpose

1. Workforce planning, compliance with legal obligations, insurance compensation and providing an accommodating workplace may require health and medical data, such as information on absences, work-related accidents and disability.

Legal Bases

  • Necessary to carry out the  obligations and to exercise specific rights of the British Red Cross or you in the field of health and safety law, as permitted by local data protection law.

 

2. Criminal records and other background checks (including under the Misconduct Disclosure Scheme), in relation to you, where relevant and appropriate to your role.

  • Your explicit consent as allowed by the data protection law
  • Necessary to carry out the obligations and to exercise specific rights of Reconnects or you in the field of employment and social security and social protection law as permitted by local data protection law; and
  • Necessary for reasons of substantial public interest as permitted by local data protection law.

We appreciate that there is a lot of information there, and we want to be as clear with you as possible over what this means. Where we talk about legitimate interests of the British Red Cross or third parties, this can include:

 

  • Management of the volunteer relationship including disciplinary and grievance issues;
  • Protecting your health and safety in the workplace, and the health and safety of others;
  • Implementation and operation of an organisational structure and information sharing;
  • Right to freedom of expression or information, including in the media and the arts;
  • Customer Relationship Management and other forms of marketing;
  • Prevention of fraud, misuse of company IT systems, or money laundering;
  • Operation of a whistleblowing scheme;
  • Physical security, IT and network security;
  • Internal Investigations
  • Analyse data to better understand our people, and the way they interact with us, whether they are staff, volunteers, supporters, or service users;

When relying on the legitimate interests basis for processing your personal data, we will balance the legitimate interest pursued by us and any relevant third party with your interests and fundamental rights and freedoms in relation to the protection of your personal data to ensure it is appropriate for us to rely on legitimate interests and to identify any additional steps we need to take to achieve the right balance.

 

Who might the British Red Cross share my personal information with?

The British Red Cross may transfer personal data to third parties, including to entities within and outside the British Red Cross, for the Processing Purposes as follows:

  • Communication with third parties.  As necessary in connection with business operations, work contact details and communication contact details may be transferred to existing or potential business partners, suppliers, customers, end-customers or government officials and other third parties.
  • Regulators, authorities, and other third parties.  As necessary for the Processing Purposes described above, personal information may be transferred to regulators, courts, and other authorities (e.g., tax and law enforcement authorities), independent external advisors (e.g., auditors), insurance providers, , internal compliance and investigation teams (including external advisers appointed to conduct internal investigations).
  • Data processors.  As necessary for the Processing Purposes described above, personal data may be shared with one or more third parties, whether affiliated or unaffiliated, to process personal information under appropriate instructions ("Data Processors"). The Data Processors may carry out instructions related to workforce administration, IT system support and maintenance, expense reimbursement, training, compliance, and other activities, and will be subject to contractual obligations to implement appropriate technical and organisational security measures to safeguard the personal information, and to process the personal information only as instructed.

For a full list of the third parties that we may share your data with, please contact us as set out below.

 

As you may expect, some of the recipients we may share Volunteer Data and Sensitive Volunteer Data with may be located in countries outside of Europe. In some cases, this may include countries located outside the European Union and/or European Economic Area ("EAA").

Some countries where recipients may be located already provide an adequate level of protection for this data (e.g. those within the EEA). Nonetheless, for transfers to entities outside of the EEA, the British Red Cross will be bound by the EU Standard Contractual Clauses pursuant to Article 46(2)(c) GDPR, which the European Commission has assessed as providing an adequate level of protection for personal data, to ensure that your data is protected adequately.

If recipients are located in other countries without adequate protections for personal data, the British Red Cross will take all necessary measures to ensure that transfers out of the EEA are adequately protected as required by applicable data protection law. This will include using appropriate safeguards such as the EU Standard Data Protection Clauses. You can ask for a copy of such appropriate safeguards by contacting us as set out below (Who can I contact about this stuff?).

 

How long will the British Red Cross keep my personal information for?

It is our policy not to keep personal information for longer than is necessary.  We may, for example, keep your personal information for a reasonable time after you have stopped volunteering to ensure that the British Red Cross has the records it needs in the event of a dispute or regulatory investigation and to ensure that any ongoing obligations can be complied with, such as complying with requests from regulators, and to contact you about future volunteering opportunities at the British Red Cross.

 

Where personal information is kept, that period will be determined based on the applicable law. For further information, please refer to the British Red Cross Records Management Policy or the Records Retention Schedule or contact us as set out below to request further details on how long the British Red Cross will retain different categories of personal information.

 

Processing personal information about vulnerable individuals and children

Vulnerable Individuals

We understand that additional care may be needed when we collect and process personal information of volunteers who are considered vulnerable. In recognition of this, we observe good practice guidelines in our interactions with vulnerable people.

Children

If you're aged under 16, you must get your parent/guardian’s permission before you provide any personal information to us.

 

What rights do I have in respect of my personal information?

You have a number of rights in relation to your Volunteer Data and Sensitive Volunteer Data.  These can differ by country, but can be summarised in broad terms as follows:

 

(i) Right of access

You have the right to confirm with us whether your personal data is processed, and if it is, to request access to that personal data including the categories of personal data processed, the purpose of the processing and the recipients or categories of recipients. We do have to take into account the interests of others though, so this is not an absolute right, and if you want to request more than one copy we may charge a fee.

(ii) Right to rectification

You may have the right to rectify inaccurate or incomplete personal data concerning you.

(iii) Right to erasure (right to be forgotten)

You may have the right to ask us to erase personal data concerning you.

(iv) Right to restriction of processing

In limited circumstances, you may have the right to request that we restrict processing of your personal data, however where we process Volunteer Data and Sensitive Volunteer Data for the Processing Purposes we think that we have a legitimate interest in processing which may override a request that you make.

(v) Right to data portability

You may have the right to receive personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you may have the right to transmit that data to another entity.

(vi) Right to object and rights relating to automated decision-making

Under certain circumstances you may have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data, including profiling, by us and we can be required to no longer process your personal data. This may include requesting human intervention in relation to an automated decision so that you can express your view and to contest the decision.

To exercise any of these rights, please contact us as stated below (Who can I contact about this stuff?). 

You also have the right to lodge a complaint with the competent data protection supervisory authority, which in the UK is the Information Commissioner's Office (the "ICO"). If you would like to make a complaint in relation to how we have handled your personal information, please follow our complaints procedure. If you are not happy with the response you receive, then you can raise your concern with the ICO:

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF


Who can I contact about this stuff?

If you have concerns or questions regarding this Notice or if you would like to exercise your rights as a data subject, you can get hold of the right person here: Please contact the Information Governance Team:

 

Emaildataprotection@redcross.org.uk

Phone0344 871 1111

Post: British Red Cross, 44 Moorfields, London, EC2Y 9AL