Your data and how we use it
At Porchlight we help people who have nowhere to go and no-one to turn to; some are homeless, others are struggling to cope with the pressures in their lives and need our support to keep on track. We help people with housing, mental health, education and employment, and their physical health and wellbeing. We make a positive impact on adults, children, families and communities as a whole.
Porchlight is a limited company registered in England and Wales, our registered company number is 1157482 and our registered charity number is 267116.
We need to process data about the people to whom we provide support, and to those who support us through campaigns, donations or volunteering. Porchlight are committed to protecting the privacy of our stakeholders and take care to safeguard it. This privacy statement outlines what data is collected, how it will be used, and what your rights are as a data subject.
This privacy statement is as comprehensive as possible however it is not an exhaustive list of every aspect of data collection and processing. We would be happy to provide further information or explanation about our services, if you have any questions please do get in touch with us, details are in the About Us section at the end.
Why we collect your data and how we collect it
We will collect the personal data or sensitive personal data needed in order to communicate with you and to provide and administer services to you. The type and amount of data collected will depend on the nature of your interaction with Porchlight.
We collect information about you that you give us directly by calling our offices or helpline, filling in forms on our website, attending drop in sessions or events, by completing surveys or forms, or by corresponding with us on social media, by phone, email or otherwise.
We may also receive information about you from third parties; this may be another support agency which is referring a client to us, from sponsorship forms or fundraising websites, or from other publically available sources.
What data we collect
The data we collect will vary based on the nature of your relationship and interaction with Porchlight.
We may collect any, but not necessarily all, of the following personal data such as:
- Your full name
- Contact details including postal address and address history, mobile and telephone numbers, and email addresses
- Date of birth
- National insurance number
- NHS number
- Disabilities, allergies and medication
- Drug or alcohol use
- Relationship status
- If you are a care leaver or a looked after child
- Your economic status including benefits information
- Your work and education history, including if you were a member of the armed forces
- Correspondence or contact you have with us
- Your engagement with services
- Next of kin or emergency contact information
- Details of other agencies or providers you are working with
We may also collect sensitive personal data such as details about your physical or mental health, religion, sexual orientation, ethnicity, race, political and philosophical beliefs, and criminal records.
You have the option to give us a password (e.g. mothers maiden name, place of birth, or memorable word) to add to your file which we will use as a security question if you call us regarding your data.
Calls to our helpline may be recorded and this is for training purposes, to provide quality assurance, to help with complaint investigations, and to enable us to improve the service that we offer, you will be informed that your call will be recorded prior to any data collection.
Donors and Supporters
We may collect any, but not necessarily all, of the following information depending on the nature of your support and communication preferences:
- Your full name, titles and honours
- Contact details including postal address, mobile and telephone numbers, and email addresses
- Date of birth
- Occupation or place of work
- And any other biographical information you choose to share with us including relational links
- Gift Aid declarations
We do not see or store card payment details for any donations made online through our website. Where a donation is made over the phone we will input the details to the same secure websites on your behalf.
We strongly advise against sending payment details by email. If we receive an email containing any payment information this will be immediately processed and the email deleted. Paper donation forms are always destroyed once we have processed and recorded donation details on our database.
If you choose to include Gift Aid with a donation, we are obliged to ask for your UK taxpayer status and full postal address including postcode. Your Gift Aid declaration and donation details must be held on our secure third party database for a minimum of 6 years as per Government guidelines and for financial auditing purposes.
“3.30.2 A charity run as a charitable company, which most are, must keep tax records (including Gift Aid declarations and records) until 6 years after the end of the accounting period they relate to.”
We keep records of your correspondence and engagement with us which may include details about invitations to events, attending events or participation in fundraising events.
If you attend an event we are organising, we may ask you to provide information such as dietary and accessibility information but this is only noted for the purpose of the event and will be deleted after the event.
Vulnerable donors and supporters:
We are committed to protecting vulnerable donors and supporters. Rarely we may also collect sensitive personal data on an individual where we believe a person to be vulnerable in order to comply with requirements under charity law and best practice as directed by the Fundraising Regulator. We will ensure that we do not send marketing and fundraising communications to those individuals through the use of a suppression list in order to avoid sending unwanted materials.
Further information can be found in our Supporter Care Charter, Treating Donors Fairly procedure, and Ethical Fundraising procedure: https://www.porchlight.org.uk/data
How we use your data
If you are receiving advice, support, or a service from us we will need to process your data in order to fulfil our obligations to you in providing this service. The information you give us lets us know what support you need, and we keep a record of what support you have been given and how this has helped. We will offer you suitable job, education or training opportunities based on your needs, or may be able to refer you to other services provided by Porchlight or our delivery network which would be of benefit to you.
We will invite you to participate in activities such as client involvement forums and feedback groups, and will ask for your feedback when you exit our services.
We will use data for statistical reporting in order to assess the quality of our services, to identify trends which help us improve existing services and develop new services, and to ensure we are meeting our contractual requirements. Statistical reports will not include any personal information which could be used to identify individuals.
We quality audit a set percentage of all our client files to ensure that our services are of a high standard and data collected is appropriate and proportionate, files will be audited by Porchlight staff and occasionally external auditors where the service is funded by another organisation (for example a local authority) or where Porchlight is seeking external accreditation for services. All auditors are bound by confidentiality and files will be anonymised if appropriate.
Donors and supporters
Processing and recording donations and Gift Aid:
The processing of one-off donations made on our website with debit and credit card payments is managed externally by Blackbaud on a secure payment transaction website. To protect your credit card information, when used according to manufacturer’s instructions, Blackbaud encrypts personal and credit card information during all transactions. For more information about Blackbaud visit www.blackbaud.com
The processing of regular donations made on our website with debit and credit card payments is managed externally by CAF on a secure payment transaction website.
When you make a donation we will use your payment and contact details, donation amount, date and time of payment to process that payment and take any follow-up administration actions such as sending a thank you letter or email unless you ask us not to acknowledge the donation.
We will keep a record of all your donations, giving history and gift aid details on our secure supporter database, Raiser’s Edge NXT.
Staying in touch:
As a charity providing vital services to the most vulnerable we cannot survive without the trust, confidence, support and generosity of the general public, major philanthropists, the business community, and grant-making trusts and foundations. In our endeavours to seek your support and funding for our work we need to keep you up-to-date with our fundraising, marketing and campaigning news, activities and updates on our support services.
We may use a range of activities and channels to contact current donors as well as to attract the support of prospective new donors – including our website, digital platforms, emails, fundraising challenges, fundraising events and receptions, direct mail appeals, meetings and phone conversations.
We will obtain your consent to contact you by email and text message for fundraising appeals and marketing purposes.
We will send you our non-fundraising annual newsletter and annual report to update you on how your donation has made a difference, based on it being within our legitimate interests to do so if you have donated to us within the last three years.
Presently, we only call people for administrative purposes. If we want to make marketing calls for fundraising appeals, we will contact existing donors and supporters by phone on the same legitimate interest basis unless you are registered with the Telephone Preference Service or have opted out of receiving marketing communications. We will obtain consent from all new donors and supporters to make marketing calls.
We will contact you:
with news and updates about our work including our newsletter Porchlight Post
about fundraising appeals and activities including requests for donations, information about gift aid, information on how you can leave us a gift in your will, how you can raise money on our behalf, attend or take part in fundraising events and challenges, and how your donations and fundraising support have a positive impact on our work and Clients
with details and invitations about our special supporter events including talks, workshops, seminars, conferences, receptions and functions
We will not use companies or individuals to:
knock on people’s doors to ask for donations of any kind be it cash, card payments or gifts in kind
approach people in the street asking for bank details
‘cold-call’ people to ask for donations over the phone
Donors and supporters can update their contact preferences at any time by emailing: firstname.lastname@example.org
The legal basis for processing your data
We will ensure that where we collect and process your data we will do so in accordance with the lawful bases defined by data protection laws, depending on the purposes for which we use your data, one or more of the lawful bases below may be relevant:
Consent where we have obtained your consent to use your information for specific purposes
Contract where we have entered into a contractual agreement with you
Legal obligation where there is a requirement for us to record information such as Gift Aid declarations, or accounting and tax purposes
Legitimate interests such as:
Administration and Operational functions – including responding to enquiries, providing information and support services, research, analysis and evaluation, the administration of employment, volunteering, and recruitment.
Governance – including the delivery of our charitable purposes, statutory and financial reporting, and other regulatory compliance purposes.
Fundraising and Campaigning – including administering donations and campaigns, sending direct marketing by post, sending thank you letters or acknowledgements, research, analysis and evaluation, and maintaining communication suppression lists.
Delivering services – ensuring safe and effective services are provided which protect both our staff and our Clients
Where legitimate interests has been identified as the lawful basis for processing data we will ensure that its use is fair and not intrusive and is only used in a way or for a purpose that you would reasonably expect.
If you do not wish to share your data with us we will be limited in the support or service that we can offer to you and may not be able to provide such services.
We are committed to protecting the privacy of the young people that we work with who are receiving support from our services, where we collect data from those aged under 13 we will always ask for parental or guardian consent.
Where we are working with young people from schools or youth groups in fundraising activities we will ensure that the appropriate controls are in place to protect their data and will only record generic information such as the number of young people taking part or the school/group they are part of.
Research and analysis
Supporter research and analysis:
We take seriously our duty to ensure that charitable donations are spent wisely, and that means doing some research and analysis to inform our decisions, set strategic objectives, develop fundraising and marketing strategies, forecast income and set budgets.
We carry out the following:
Analysing how emails are opened and read in order to ensure we are sending information that is relevant and of interest.
Segmentation – analysing information such as postcodes of supporters. This helps us to tailor appropriate communications to our donors and supporters as well as improve the care we provide you enhancing your engagement and experience as a Porchlight supporter.
Finding other people like you who might like to hear from us – we may use the email address you give us to help find more people like you, so that we can grow our supporter base through our online channels. We use third party services to do this including Google, Facebook and Twitter.
Analysing our supporter base to identify, communicate and engage with philanthropists and people who might choose to give a significant gift - we may undertake in-house desk research and engage specialist research companies to help us identify and engage with people who may wish to have a closer and more informed relationship with the charity and join our major donor funding programme by making a significant gift.
We will use information provided by you and that which is publicly available from sources such as Companies House, company websites, grant-making trusts and foundations websites, cultural and heritage websites, regional and local organisations websites like Kent Ambassadors, political and property registers, social network sites such as Linked In, and media archives. We may gather information on board memberships, governorships, trusteeships, directorships, patronages, typical earnings in a given industry or sector, hobbies, honours and publicly available news on philanthropic giving in articles published in print or online.
This information is vital to help us tailor our communication with you and to ensure it is relevant and timely. It helps us to understand you better so that we can make appropriate requests for significant financial support and send relevant invitations to join meetings, development groups and attend events which may be of interest. It provides a tailored, bespoke, positive experience for prospective philanthropists and high-net-worth supporters. We may also carry out research in this way to identify individuals not on our supporter database who may have an affinity to our cause but with whom we are not already in touch.
Under data protection legislation, you have the right to object your data being processed in this way. If you wish to opt out of being identified as a high net worth individual, please contact our Director of Fundraising & Communications at email@example.com
We are also legally required to carry out checks on individuals who donate large donations, to comply with our duties in respect of anti-money laundering legislation and the prevention of fraud.
Applying to work or volunteer with us
If you apply to work or volunteer with us your personal data will be collected to administer your application, and for equality and diversity monitoring. Personal data on all applicants is held for 12 months, unsuccessful applicant data is disposed of securely after 12 months while successful applicant data will be retained in personnel files.
We will need to share the data of successful applicants who are being offered a role in order to contact referees or to carry out a DBS check (role dependent); our application form requests your consent in order to allow us to do this.
If you sign up for our Job Alerts emails your name email address will be used to send you personalised email alerts with details of current vacancies at Porchlight. We will continue to send you job alert emails and retain your data indefinitely until you unsubscribe or request that we remove your details.
Website & Social Media
The Porchlight website uses Google Analytics to help us understand how people are using the site, what information they are accessing and engaging with and so enables us make our site meet the needs of the user.
If you do not want cookies to be stored on your PC you can adjust your privacy settings. All browsers allow you to manage these settings, which are usually found under the “Preferences” or “Tools” menu. You can find out more information about individual browser settings at www.aboutcookies.org
Our website contains links to other websites of interest, and we enable you to share information through social networking sites such as Facebook and Twitter. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement.
We may use your personal information to inform relevant third parties such as your internet provider or law enforcement agencies in the that event you post or send any content that we believe to be inappropriate, offensive, or in breach of data protection laws.
We will collect data on professional contacts and partners with whom we work or to whom we provide professional services (e.g. training). We may send our professional partners information and updates about our work and such contacts may opt out of receiving this information at any time.
Business to business fundraising contacts:
We maintain a record of information and communications related to businesses and their directors, grant-making trusts and foundations and their Trustees, statutory funding bodies, MPs, local Councillors and other holders of public office in order to undertake fundraising and campaigning activities in furtherance of our charitable aims. This will include a ‘point of contact’ name, a record of contact details such as postal and email addresses, phone numbers and publicly available information which will enable us to develop and manage positive ‘business to business’ working relationships with these individuals and individuals working for these organisations.
Retention of your data
We have an internal procedure which sets out the specified time for which we keep data, we refer to the data retention procedures of local authorities and national bodies in determining how long we will keep data and consider any legal requirements, legitimate interests, and guidance issued by regulatory bodies such as the Information Commissioners Office. Once the retention period has expired, we will securely dispose of data either by confidential waste disposal, anonymisation, or permanent deletion.
We generally keep records of people we have worked with for up to 7 years after their last engagement with us. There are exceptions for those who are care leavers or have been a looked after child where the law specifies that we must hold these records until the person’s 75th birthday, or where there are contractual requirements in place from funders who may require that we retain some data for longer periods.
Donors and supporters
We will store data relating to donors and supporters who have acted upon campaigning actions for seven years after their last donation or engagement.
If you request to receive no further contact from us, we will keep some basic information about you on our suppression list to avoid sending you unwanted materials in the future. If your data includes your giving history and financial details, we will anonymise the data if it needs to be used for monitoring or forecasting reports.
If you have gift aided your donations, under current HMRC rules we are obliged by law to retain your gift aid declarations and details of any donations for six years after the date of your last donation.
Security of your data
We have appropriate operational and technical measures in place to protect your personal data and ensure its confidentiality, integrity, and availability. All information provided to the charity is stored securely and accessible only to those who are authorised to have access to it. We will take all reasonable steps and measures to ensure that the information you give us is protected against loss, misuse, unauthorised access or disclosure.
In the unlikely event that a data breach should occur, the charity has a data breach procedure in place which details our responsibilities to swiftly mitigate and rectify any breach, and to report to the ICO and data subjects as required.
Porchlight is certified with ISO 27001:2013 Information Security Management which is the international standard that describes best practice for an ISMS (information security management system). We have been certified by external, independent and expert auditors as following best practice with regards to information security management.
Salesforce - we keep all our client and volunteers’ data in a secure Salesforce database, this is protected so that only authorised staff have access to view the records. Our Salesforce database can carry out “automated decision making”, an example of this is where we would enter a person’s address and it will automatically tell us the nearest support service to them. The automated decision making is based on information which is manually entered by staff, and this can be overridden at any time.
Raiser’s Edge NXT – we keep all our supporter data in a secure Blackbaud database, this is protected so that only authorised staff have access to view the records. Raiser’s Edge NXT does not carry out any automated decision making.
HR net – we keep all our staff data in a secure ADP database, this is protected so that only authorised staff have access to view relevant records. HR net does not carry out any automated decision making.
We may use your personal information to inform relevant third parties such as your internet provider or law enforcement agencies in the that event you post or send any content that we believe to be inappropriate, offensive, or in breach of data protection laws.
Disclosure of your data
We will never sell, share or swap your details with any third parties for the purposes of their own marketing or the monetisation of your data.
Your data will only be shared with third parties where:
It is to a secure data processor carrying out processing activities on our behalf
We are required to do so by law, for example to regulatory bodies or law enforcement, or to enforce or apply our rights to protect the charity, for example in cases of suspected fraud or defamation
It is necessary to protect the vital interests of an individual, for example where we believe you or another person might be in danger
We have obtained your explicit consent to share it
We are required to share some information with our funders and commissioners for monitoring and quality assurance, and we also use anonymised data for internal equality and monitoring.
Use of data processors
We may use third party suppliers to manage mailing for fundraising appeals, campaigning, to conduct research or surveys, or for secure storage of personal information on our behalf where appropriate technical and security measures are in place.
We enter into contracts with all our data processors, and we require these third parties to comply strictly with data protection laws and will ensure appropriate controls are in place.
Our main processing systems are Microsoft Office 365, Microsoft Azure, Salesforce, Blackbaud and ADPnet, these are cloud services hosted within the EEA. Should you wish to know the current list of third-party data processors we work with please contact firstname.lastname@example.org
Transfer of data outside the European Union
In the unlikely event we were required to transfer data outside the EEA this would be done so in a secure manner and only where there is an adequate level of protection for the rights of data subjects in the receiving country, for example the EU-US Privacy Shield.
Your rights and complaints
Porchlight’s Data Subject Rights procedure gives you the full rights and protections under GDPR to access, rectify, erase, restrict, port, object, or complain regarding your data. The procedure and details on how to exercise your rights can be found here: https://www.porchlight.org.uk/data
To stop job alert emails, you can use the unsubscribe link included in every email or contact email@example.com to request that your email address be removed.
To stop fundraising-related communications emails please send your request to firstname.lastname@example.org
If you would like to opt out of Google Analytics monitoring, please use this link: https://tools.google.com/dlpage/gaoptout/
Our registered address is: Porchlight, 2nd Floor Watling Chambers, 18-19 Watling St, Canterbury, CT1 2UA. You can contact us on 01227 760078 or by email to email@example.com
Porchlight is registered with the Information Commissioners Office and can be found on the ICO’s register of data controllers under the registration number Z7763784.
This statement was last updated May 2021, if any significant changes are made to the way in which we use your data we will update this privacy statement and make you aware in our next communication with you.
Young Adults Mental Health Participation Service Survey Privacy Promise
Why and how we use your data
The Kent and Medway Clinical Commissioning Group (CCG) has commissioned Porchlight to listen to the experiences of young adults who have experienced mental health crises and have used local crisis intervention services. The aim of the survey is to gather the experiences of young people who have repeatedly reported poor experiences of care and treatment within current services, whether provided by statutory or non-statutory bodies.
The Survey will collate data and information provided to generate a report which analyses key themes and provides recommendations to Commissioners to improve services based on the experiences of young adults. The survey will not collect any personally identifiable information.
The report will be provided to the Kent and Medway CCG, Commissioners, and Kent and Medway Crisis Services directly. All data will be aggregated or anonymised for the final report and no personally identifiable data will be used.
In addition to the survey, we will also offer you the choice to take part in forums or focus groups to discuss your experiences in more depth, if you wish to take part in the forums or focus groups we will ask for your contact information to get in touch with you about these.
Where and when we keep your data
We will keep the data in a secure Microsoft Azure environment, we comply with all laws concerning the protection of personal data and have security measures in place to reduce the risk of theft, loss, destruction, misuse or inappropriate disclosure.
The data will be kept for the duration of the project (3 years) after which it will be deleted when the commissioners report is completed.
Where you have provided your personal data will have full rights over your data in line with the Data Protection Act 2018, a copy of our Data Subjects Rights procedure can be found here: https://www.porchlight.org.uk/...
Categories and recipients of data
We will collect different types of information based on the nature of support you have received and the agencies you received support from. The survey will ask questions around:
What the nature of your mental health experience was?
What care did you receive?
Did you feel the care you received met your needs? Did you feel supported?
Did you receive the intervention within an appropriate time frame?
Was follow up care provided?
If you wish to take part in the forums of focus groups we will ask you for the following information so that we can contact you about attending:
Personally identifiable data will not be shared externally and internally will only be accessed by those working on the project, aggregated or anonymised data will be for the final report and no personally identifiable data will be used.
Legal basis & supervisory authority
By responding to the survey or participating in in the forums or focus groups you are providing consent to our processing of the data in line with the purposes specified.
Porchlight are registered with the Information Commissioners Office and can be found on their register of data controllers with the reference Z7763784. Porchlight are the data controller for this data. Our registered address is: Porchlight, 2nd Floor Watling Chambers, 18-19 Watling St, Canterbury, CT1 2UA. T: 01227 760078, E: firstname.lastname@example.org