Preservation of your privacy is important to the Norfolk Archives and Heritage Development Foundation (‘NORAH’) and we are committed to letting you know how we use your personal information and to making only responsible use of your data. Under data protection legislation, including the General Data Protection Regulation, we have a legal duty to protect any information we collect from you.
NORAH is a charity registered in England and Wales, registered charity number: 1167279 and is Data Controller for all of the data it collects during its day-to-day activities.
NORAH has contracted the Norfolk Record Office (‘NRO’) to process personal data on its behalf in accordance with the General Data Protection Regulation and UK data protection legislation. It will not be used by the NRO for any of their administrative purposes.
Any queries regarding NORAH’s handling of personal data, including subject access requests, should be directed to Mr Gary Tuson, Data Protection of NORAH, The Archive Centre, Martineau Lane, Norwich, NR1 2DQ, email firstname.lastname@example.org. NORAH’s website address is https://www.norah-df.org.uk.
2. NORAH’s Use of Companies to Deliver Services
NORAH has contracted trusted third party companies to perform services on its behalf. In some instances, these companies may act as data controllers in their own right. In each case, agreements exist between NORAH and the company to ensure personal data is processed in accordance with data protection legislation.
NORAH uses Google Analytics to measure user interactions with its website. Details about how Google uses information from sites or applications that use its services can be found at www.google.com/policies/privacy/partners/.
3. NORAH’s Mailing List
NORAH maintains a mailing list for the purpose of fundraising and promoting its interests. NORAH uses the mailing list to tell people about its activities, including fundraising campaigns. NORAH will only add someone to the mailing list if that person has agreed. The personal data processed for this purpose is name, contact details and location (via a postcode). NORAH’s legal basis for adding someone to its mailing list is therefore consent. An individual can withdraw their consent at any time without detriment. NORAH will not share an individual’s details with anyone else, without first getting that individual’s permission. NORAH uses MailChimp to manage its electronic mailing list. NORAH manages its postal mailing list itself.
4. When Else Do We Collect Personal Information?
There are occasions when NORAH processes personal information. It processes information relating to its trustees and authorised officers in order to operate as a charity. The legal basis for doing so is legal obligation under charity and fiscal legislation, except in the case of a trustees’ or authorised officers’ financial information, for which the legal basis is legitimate interest. Name, contact details and financial information of trustees and authorised officers may be passed to HM Revenue and Customs and The Charity Commission of England and Wales.
Correspondence with donors as well as advisers and representatives of other organisations, which contain names and contact details, is processed on the basis of legitimate interest. Payment details of customers and donors are processed on the basis of legal obligation and in the case of donors, details may be passed to HM Revenue and Customs. Name and contact details of customers are processed on the legal basis of contract.
When you purchase from us, we’ll ask you to provide information including your name, billing address, shipping address, email address, phone number, and credit card/payment details. We will use this information about your account order; respond to requests, including refunds and complaints; process payments and prevent fraud; comply with any legal obligations we have, such as calculating taxes; improve our store offerings.
5. How Long Do We Keep Personal Data For?
NORAH retains records containing personal information for various durations. Records relating to the successful appointment of trustees are retained for six years after an individual stops acting as a trustee. Trustee declarations are kept for four years after the year when that individual stops acting as a trustee. Personal information relating to unsuccessful applicants for the post of trustee are retained for one year after their application.
Finance records are kept for seven years.
Administrative records are kept for four years after the year in which they were received or created, including enquiries received by NORAH. The exception to this is invitation lists for events which are retained for three months after the event.
Records retained for the legal purpose of contract are retained for a maximum of six months after the end of the customer relationship. Evidence of an individual’s consent to join NORAH’s mailing list is destroyed when they are removed from the mailing list.
Under Article 89 of the GDPR and the provisions of the Data Protection Act 2018, NORAH will retain the register of trustees and trustee meeting minutes on a permanent basis for archiving purposes in the public interest.
We take all reasonable precautions to prevent the loss, misuse or alteration of information you give us. Any physical records which contain personal information are kept in a secure office environment and then in locked cabinets. Any electronic records which are kept by NORAH, are kept on secure servers based in the United Kingdom on systems provided to it by Norfolk County Council. All officers acting on behalf of NORAH receive training in data protection procedures every three years.
NORAH uses Secure Socket Layer (SSL) encryption technology whenever personal information is entered on the NORAH website, such as booking a talk. Where NORAH uses other companies, via its website, including MailChimp, PayPal, Stripe and BT MyDonate, these companies use encryption technology to protect personal data.
When visitors leave comments on NORAH’s website, we collect the shown in the comments form and also the visitor’s IP address and browser user agent string to help spam detection. If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognise and approve any follow-up comments automatically instead of holding them in a moderation queue.
For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.
If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.
NORAH uses Akismet to prevent spam comments appearing on our website. Akismet collects the commentator’s IP address, user agent, referrer and site URL, along with other information provided by the commentator such as their name, username, email address and the comment itself.
Cookies on Our Website
If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.
NORAH uses an application called WooCommerce to sell products on its website. This uses three cookies; woocommerce_cart_hash; woocommerce_items_in_cart; and wp_woocommerce_session_. The first two, contain information about the cart as a whole and helps WooCommerce know when the cart data changes. The final cookie contains a unique code for each customer so that it knows where to find the cart data in the database for each customer. No personal information is stored within these cookies.
Cookies in Email Marketing
Cookies in Embedded Content
Cookies in Analytic Software
Most browsers allow you to refuse to accept cookies. More information about cookies, including how to block them or delete them, can be found at AboutCookies.org.
9. What Rights You Have Over Your Data
You have certain rights in relation to the personal information NORAH holds about you. Some of these only apply in certain circumstances. To exercise your rights, please contact NORAH’s data protection officer. If NORAH has any legal reasons to refuse your request, we will let you know if that is the case.
You have the right to access personal data we hold about you.
You have the right to request that inaccurate personal data we hold about you is rectified, or completed if it is incomplete.
In some instances, you can request that information we hold about you is deleted. Trustees, donors and those making enquiries can request NORAH to delete administrative paperwork where the legal basis of processing is legitimate interest. NORAH will delete any individual’s personal data from its mailing lists upon request.
Trustees, donors and those making enquiries can request NORAH to restrict processing to storage of administrative paperwork where the legal basis of processing is legitimate interest.
In some circumstances, individuals may obtain and reuse personal data which NORAH holds, for their own purpose. This relates to information provided purchasing items or services from NORAH, or when the legal basis for NORAH holding that information is consent, such as information on NORAH’s mailing list.
In some circumstances, you have the right to object to our processing of data about you and we will consider your request. You have an absolute right to object to your personal data being included in our mailing list.
10. Version Control
This document was revised on 25 January 2019 (version 4.0).