Other Policies

This website is one of a number established and operated by StC Payroll Giving. (StC or we).
By using this website, you consent to the collection and use of your information under the terms of this policy as in force at the time of use.

Policy for dealing with Vulnerable Donors

At Bell Fundraising, we want our clients, both charity clients and employers, to feel comfortable with the ways that we recruit donors. This policy aims to make sure that we meet this pledge at all times. We also want everyone who works for us to understand their responsibilities to all donors, whether potential donors or recruited donors. We want to work together in a clear and consistent way, always taking reasonable care to treat everyone fairly.

This policy follows the Institute of Fundraising’s guidance Treating Donors Fairly, specifically the guidance for fundraisers on responding to the needs of people in vulnerable circumstances and helping donors make informed decisions. The full report can be found here: http://www.institute-of-fundraising.org.uk/guidance/research/treating-donors-fairly/ 

Sections of this policy marked with an asterisk (*) have been taken directly from the Institute’s guidance. 

As well as the Institute of Fundraising, we are also members of the following professional body:

- Association of Payroll Giving Organisations (APGO)

We abide to follow the codes of each of these organisations and those regulations put forward by the Fundraising regulator and the Charities Act 1992 and the Charities (Protection and Social Investment) Act 2016, (as amended or replaced from time to time, or any statutory requirements or modifications thereof.

We want this policy to inform our working practices and be relevant to all. We will take steps to ensure that this approach is embedded in our organisation’s culture and ensure that this policy is visible at all times on our website. 

We will ensure all those that regularly communicate with donors are fully trained before they do so and that this training is refreshed at least once a year.

How do we identify an individual who needs additional care and support, or may be in a vulnerable circumstance?

The Collins dictionary defines “vulnerable” (amongst other things) as: 

1. Capable of being physically or emotionally wounded or hurt

2. Open to temptation, persuasion, censure, etc.

3. Liable or exposed to disease, disaster, etc.

We first need to define someone as vulnerable and then ascertain if this is a permanent or a current life situation. We will not make sweeping judgements on people - for example, age is not necessarily an indicator of vulnerability - and everyone should have the opportunity to donate, if they are able to do so. We also need to bear in mind that actively avoiding someone based on a characteristic such as age could be seen to be discriminatory. 

Permanent versus temporary vulnerabilities *

There is some overlap in these indicators above and the tests relating to mental capacity. The important distinction is whether the individual has a complete lack of capacity to make a decision, or needs more information and support to be able to make a decision to donate. Fundraisers need to be aware of this difference so that they can make a reasoned judgement and act appropriately when dealing with existing or potential donors. An individual who may need additional care and support, or may be in a vulnerable circumstance, can still have capacity to choose to donate to a charity. 

Examples include:


Current life situation

Physical & mental medical conditions

Physical & mental medical conditions


Times of stress or anxiety e.g. Bereavement, redundancy

Learning difficulties

Financial vulnerability

Financial vulnerability

Influence of alcohol or drugs

English not being the donors first language

Indicators that the individual appears confused *

It is not possible to provide a comprehensive set of factors or characteristics which would enable fundraisers to be able to always identify an individual who is in a vulnerable circumstance, may require additional support, or lack capacity. Instead, what follows is a (non-exhaustive) list of indicators or triggers which could signal that someone may be in a vulnerable circumstance or lack capacity. 

Are they: 

- Asking irrelevant and unrelated questions? 

- Responding in an irrational way to simple questions? 

- Asking for questions or information to be continually repeated? 

- Saying ‘yes’ or ‘no’ at times that it is clear they haven’t understood? 

- Taking a long time or displaying difficulty in responding to simple questions or requests for information? 

- Repeating simple questions such as ‘who are you, what charity is it, what do you want?’ 

- Wandering off the subject at hand and making incongruous statements? 

- Displaying signs of forgetfulness?

Indicators that the individual may have physical difficulties *

The displaying of physical difficulties by the donor does not necessarily indicate any issues of vulnerability or mental capacity. However, if a donor is experiencing or exhibiting any form of physical difficulty or distress, this could impact on their ability to make an informed decision on their donation at that time and could be addressed by a fundraiser acknowledging and addressing that need. 

Are they: 

- Unable to hear and understand what is being said? 

- Unable to read and understand the information they are provided with? 

- Displaying signs of ill-health like breathlessness or making signs of exasperation or discontent?

Indicators that the individual may be in a vulnerable circumstance (or lack capacity) *

Different signs should be more or less apparent depending on the nature of the communication and fundraising interaction – talking to an individual face to face will allow for more signs or indicators to be picked up by the fundraiser who can then respond appropriately. What is important is that fundraisers are alert to any signs given which indicate that the individual may not able to make an informed decision about their donation. 

Are they: 

- Giving a statement such as ‘I don’t usually do things like this, my husband/wife/son/daughter takes care of it for me’? 

- Saying that they are not feeling well or not in the mood to continue? 

- Indicating in any way that they are feeling rushed, flustered, or experiencing a stressful situation? 

- Having trouble remembering relevant information, for example forgetting that they are already a regular donor to that charity (e.g. have an existing Direct Debit), or have recently donated? 

- Donating an unexpectedly large gift with no prior relationship? 

(NB. There being no prior relationship before a gift is made does not on its own constitute ‘vulnerability’: many legacy and major donor gifts to charities are given without the existence of a relationship between the donor and charity.)

What should we do if a potentially vulnerable person wishes to sign a donor form? 

Interaction with vulnerable people may be unavoidable, especially as it is not always immediately obvious what a person’s situation is. How fundraisers respond to the needs of an individual will depend on the nature of the particular interaction and engagement. Fundraisers should be responsive to the needs of an individual and adapt his or her approach to suit those needs and the context.

Examples of how a fundraiser can respond to the needs of an individual: *

- Talk in clear language, avoiding words and phrases that may be hard to understand (but avoid shouting).

- Repeat information.

- Try to reflect the terminology used by the donor which may help to increase/speed up their understanding.

- Be patient and do not rush the individual.

- Provide alternative formats of fundraising materials (different language, accessible formats).

- Be upfront and tell the person why you are communicating with them and check they are happy to continue. 

- Ask if they would prefer to be contacted in a different form (email, letter) and offer to contact them at a different time.

- Ask if they would like to talk to anybody else before making a decision.

- Check their understanding at relevant parts.

- Check with a supervisor of HR manager if they are available.

Taking or returning a donation 

If you’re still unsure about whether or not we should allow the donor to complete a form, you should refer to the following checklist: *

- Check against the charity commission gift acceptance/refusal policy (section 6.3). https://www.gov.uk/government/publications/charities-and-fundraising-cc20/charities-and-fundraising 

- See whether the individual has completed a form before or if there is a prior relationship.

- Consider whether the donor was given any additional support at the time of completing the form to help them make an informed decision.

- Attempt to contact the donor to check that the donation, and amount, was intended.

- Make a judgement on whether you think that the person is able to make an informed decision – and if not, then do not process the form without checking with a supervisor or HR manager if they are available.

Ending contact 

Based on your assessment of the situation, it may be necessary to end the interaction. When doing this, care must be taken not to cause offense or upset. Examples of ways to end a verbal or email conversation include:

- ‘I’ve taken up enough of your time today, thank you for listening.’

- ‘Maybe you would like to take some more time to consider whether you’d like to support us?’

- ‘You’re welcome to contact us at your convenience to discuss this further…’

Terminating the interaction could depend on whether the individual’s vulnerability is judged to be a permanent or temporary situation. 

What should we do if we are contacted by a family member or carer?

If a donor – or a family member with power of attorney – contacts to say that a donation was made by someone unable to make an informed choice, then we can (and should) cancel the donation. It may also be appropriate to mark this person on our database as ‘do not contact’. 

However, if the contact is made by a third party - such as a family member, without power of attorney - we need to be satisfied that the request is being made on behalf of the donor. The onus here falls to the third party to provide evidence that they have the right to represent the donor. We should, of course, remain sensitive to the fact the donor may be going through a permanent or temporary change in circumstances that may be quite stressful to the third party. 

In all situations, the outcome and the preferences recorded should be followed up with a written confirmation to the donor.

Donor Privacy Notice


Data controller:  Bell Fundraising Ltd, Unit 97C+D, Harvey Drive, John Wilson Estate,

Whitstable, Kent, CT5 3QZ


Data Protection Officer: Suzanne Turner, 220 vale Road, Tonbridge, TN9 1SP

t: 01227 376998

e: compliance@bellfundraising.co.uk


Introduction: Bell Fundraising Ltd collects and processes the personal data of donors. Bell Fundraising Ltd is committed to being transparent about how it collects and uses that personal data, and to meeting its data protection obligations.


Information that Bell Fundraising Ltd collects

Bell Fundraising Ltd collects and processes a range of information about you. It collects:


  • Your name and address
  • Other contact details, including your email address and telephone number
  • Date of birth
  • Your charity(s) of choice and the amounts of your chosen donation(s)
  • The identity of your employer, your National insurance number, payroll details and chosen HMRC registered Payroll Giving Agent (PGA)


Bell Fundraising Ltd collects this personal data in a variety of ways. Personal data may be collected from you via:


·         Giving forms completed by you or on your behalf

·         Online forms completed by you

·         Your employer’s flexible benefits or other portals (if it has them)



Your personal data will be stored securely within Bell Fundraising’s donor systems and in other IT systems, predominantly using Citrix Sharefile for any data transfers.


Why does Bell Fundraising Ltd process personal data?

Bell Fundraising Ltd processes your personal data in line with our “legitimate interests” in ensuring that all of our donors’ charitable giving wishes and instructions are respected and fulfilled.


In order for your donation to be processed, Bell Fundraising Ltd must always share your name, address, employee and/or national insurance number, choice of charity(s) and donation amount with your employer’s Payroll Department and with the chosen HMRC registered Payroll Giving Agent (PGA). Your employer has a contract with the PGA, who are in turn responsible for passing the money that you donate to your chosen charity(s). [If your employer has an existing relationship with a different named organisation (e.g. a payroll provider or flexible benefits provider), we may need to share your details with that organisation in order to process your donation in accordance with your wishes.


Unless you have given us your consent, your personal data will not be used for secondary marketing or other donation solicitation purposes. If you have given us your consent for secondary marketing or other donation solicitation purposes, we will do so but only to the extent that you have given consent for this to happen.


Who has access to data?

Your personal data may be shared internally by employees and officers of Bell Fundraising Ltd if access to that information is necessary for the proper performance of their roles.


Your personal data will always be shared with your employer (and, where appropriate, your employer’s payroll provider and/or flexible benefits provider), and the relevant PGA; but only to the extent necessary to facilitate the making of your charitable donations in accordance with your wishes.


We may use it for secondary marketing or donation solicitation purposes; but only to the limited extent that you have consented to the sharing of your personal data for that purpose.


How does Bell Fundraising Ltd protect data?

Bell Fundraising Ltd takes the security of your data seriously. Bell Fundraising Ltd has internal policies and controls in place to minimise the risk of your personal data being lost, accidentally destroyed, misused or disclosed, and is not accessed or shared except a) by its officers or employees in the performance of their duties; or b) as otherwise explained in this privacy notice.


Where Bell Fundraising Ltd engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.


For how long does Bell Fundraising Ltd keep data?

Bell Fundraising Ltd holds your personal data for 3 years in order to address administrative queries from your employer or chosen charity(s).


Your rights

As a data subject, you have a number of rights. You can:

  • Access and obtain a copy of your data on request
  • Require Bell Fundraising Ltd to change incorrect or incomplete data
  • Require Bell Fundraising Ltd to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing
  • Object to the processing of your data where Bell Fundraising Ltd is relying on its legitimate interests as the legal ground for processing


If you would like to exercise any of these rights, please contact our Data Protection Officer (contact details as above).


If you believe that Bell Fundraising Ltd has not complied with your data protection rights, you have the right to complain to the Information Commissioner’s Office.


Automated Decision-Making

Bell Fundraising Ltd does not use your personal data for automated decision-making.




Ethical Fundraising Policy

Bell Fundraising Ltd -  Ethical Fundraising Policy

BFL Payroll Giving Ltd (BFL) is committed to its mission to help charities of all sizes to raise regular income using the Payroll Giving Scheme in order to provide long term income for these charity clients. We commit at all times to be open, honest, fair and legal.

This policy seeks to cover the ethical issues and social responsibility within fundraising. All BFL staff involved in fundraising have a responsibility to be aware and have a thorough understanding of the ethical issues referred to in this policy.

1. BFL respects the rights of donors to clear, truthful information on the work of BFL and to openly report how we manage donors' information responsibly.

2. We will comply with the Institute of Fundraising Codes of Fundraising Practice as amended from time to time and UK law in every respect, including those regarding openness and honesty with members of the public.

3. As members of the APGO’s self-regulatory scheme, we follow their Code of Conduct, which, amongst other things, helps to ensure that organisations raising money for charity from the public do so honestly and properly.

4. We will respect the privacy and contact preferences of all donors. We will respond promptly to requests to cease contacts or complaints and act as best we can to address their causes.

5. We will adhere at all times to the legal requirements of the Charities Act 1992 in England and Wales) and the Charities and Trustee Investment Act (in England and Wales) and the Charities and Trustee Investment Act (Scotland) 2005 and any amendments made to them. We will ensure that equivalent fundraising activities carried out in Northern Ireland are managed in the same manner. 

Our fundraisers will at all times:

1. provide clear and adequate, written or verbal, information to the public about possible follow‐up, including any applicable telephone procedures or other contact details as required by the Data Protection Act 1998 and comply with other provisions of the Data Protection Act 1998.

2. act honestly and in a manner that does not mislead and will not knowingly or recklessly disseminate false or misleading information in the course of their fundraising duties, nor permit others to do so.

3. utilise materials as agreed previously with the fundraising organisation.

4. ensure that in the event of a complaint, a record of the name, address and telephone number of the complainant is made and the complainant is referred immediately to the organiser of the activity and to the Fundraising Director of BFL.

5. Not directly encourage existing donors in any way to change an existing charitable donation to another fundraising organization.

6. use a courteous manner that will not bring BFL, the fundraising organisations or Payroll Giving into disrepute.

7. ensure that donors are aware that committed giving schemes are intended for long‐term donations; that the donor has the right to terminate the agreement at any point; and that fundraising organisations’ needs may be better served by a one‐off donation if the donor does not feel able to undertake a long term commitment;

8. terminate any contact politely and immediately upon request.

9. ensure that donors are aware that they are free to elect to give to any fundraising organisation following a Payroll Giving promotion, even if it is a fundraising organisation that the fundraiser is not directly representing.

10. ensure that all materials, especially completed donor forms, are held securely and in accordance with their obligations under the Data Protection Act 1998.

11. wear photo identity badges provided by BFL in a visible place at all times.

12. ensure that sufficient safeguards exist and are followed throughout the solicitation process to avoid pressurising potential donors, though reasonable persuasion can be used.

13. ensure that donors are aware that they have the right to terminate an agreement to donate to a fundraising organsation at any point. 

14. make legally compliant statements as to how BFL are paid.

15. process information as swiftly as possible and ensure that information relating to new donors is passed to the relevant parties as soon as possible.

16. when representing multiple organisations, ensure that all clients are represented in an entirely neutral manner.

Complaints Procedure

Complaints Policy of Bell Fundraising Ltd (BFL)

 BFL views complaints as an opportunity to learn and improve for the future, as well as a chance to put things right for the person or organisation that has made the complaint. Our policy is:

• To provide a fair complaints procedure which is clear and easy to use for anyone wishing to make a complaint

• To publicise the existence of our complaints procedure so that people know how to contact us to make a complaint

• To make sure everyone at BFL knows what to do if a complaint is received

• To make sure all complaints are investigated fairly and in a timely way

• To make sure that complaints are, wherever possible, resolved and that relationships are repaired

• To gather information which helps us to improve what we do

Definition of a Complaint

A complaint is any expression of dissatisfaction, whether justified or not, about any aspect of BFL.

Where Complaints Come From

Complaints may come from any person or organisation that has a legitimate interest in BFL. A complaint can be received verbally, by phone, by email or in writing. This policy does not cover complaints from a member of staff, who should use BFL’s Discipline and Grievance policies.


All complaint information will be handled sensitively, telling only those who need to know and following any relevant data protection requirements.


Overall responsibility for this policy and its implementation lies with the directors of BFL.


This policy is reviewed regularly and updated as required.

Adopted on 01/01/2015

Last reviewed on 27/11/2015.

Contact Details for Complaints:

Written complaints may be sent to BFL at Fernleigh, Bullockstone Road, Herne Bay, Kent CT6 7NL or by e-mail at enquiries@bellfundraising.co.uk.  Verbal complaints may be made by phone to 01227 375 363 or in person to any of BFL’s staff.


Receiving Complaints

Complaints may arrive through channels publicised for that purpose or through any other contact details or opportunities the complainant may have. Complaints received by telephone or in person will be recorded. The person who receives a phone or in-person complaint will:

·        Write down the facts of the complaint

•     Take the complainant's name, address and telephone number

•     Note down the relationship of the complainant to BFL (for example: charity, employer)

•     Advise the complainant that we have a complaints procedure

•     Advise the complainant what will happen next and how long it will take

•     Where appropriate, ask the complainant to send a written account by post or by email so that the complaint is recorded in the complainant’s own words.

In many cases, a complaint is best resolved by the person responsible for the issue being complained about. If the complaint has been received by that person, they may be able to resolve it swiftly and should do so if possible and appropriate. Whether or not the complaint has been resolved, the complaint information should be passed to a director within 24 hours. On receiving the complaint, the person who complaints go to will record it in the complaints log. If it has not already been resolved, they delegate an appropriate person to investigate it and to take appropriate action.

If the complaint relates to a specific person, they should be informed and given a fair opportunity to respond. Complaints should be acknowledged by the person handling the complaint within two working days. The acknowledgement should say who is dealing with the complaint and when the person complaining can expect a reply. A copy of this complaints procedure should be attached.

Ideally, complainants would receive a definitive reply within two weeks. If this is not possible because for example, an investigation has not been fully completed, a progress report will be sent with an indication of when a full reply will be given. Whether the complaint is justified or not, the reply to the complainant would describe the action taken to investigate the complaint, the conclusions from the investigation, and any action taken as a result of the complaint.

If the complainant feels that the problem has not been satisfactorily resolved, they can request that the complaint is reviewed at Board level. At this stage, the complaint will be passed to the Managing Director. The request for Board level review will be acknowledged within one week of receiving it. The acknowledgement will say who will deal with the case and when the complainant can expect a reply.

If an investigation has not been fully completed, a progress report will be sent with an indication of when a full reply will be given. Whether the complaint is upheld or not, the reply to the complainant will describe the action taken to investigate the complaint, the conclusions from the investigation, and any action taken as a result of the complaint. The decision taken at this stage is final, unless the Board decides it is appropriate to seek external assistance with resolution. At this point the complaint may be escalated to the APGO for resolution. See www.apgo.org.uk

Data Protection Policy

Bell Fundraising Ltd - Data Protection Policy

The directors and staff of Bell Fundraising Ltd (BFL) understand the data security needs and expectations of its interested parties both within the organisation and from external parties including, amongst others, clients, suppliers, regulatory and governmental departments. The company has recognised that the disciplines of confidentiality, integrity and availability of information in data security management are integral parts of its management function and views these as their primary responsibility and fundamental to best business practice. We ensure that the company:

  • Complies to all applicable laws and regulations and contractual obligations

  • Implements data security objectives that consider data security requirements following the results of applicable risk assessments

  • Communicates these objectives and performance against them, to all interested parties

  • Adopts a data security management system comprising a security manual and procedures which provides direction and guidance on data security matters relating to employees, customers, suppliers and other interested parties who come into contact with its work

  • Works closely with customers, business partners and suppliers in seeking to establish appropriate data security standards

  • Adopts a forward-thinking approach on future business decisions, including the continual review of risk evaluation criteria, which may impact on data security

  • Instructs all members of staff in the needs and responsibilities of data security management

  • Constantly strives to meet and, where possible, exceed its customer’s expectations

  • Implements continual improvement initiatives, including risk assessment and risk treatment strategies, while making best use of its management resources to better meet data security requirements 

Responsibility for upholding this policy is truly company-wide under the authority of the directors who encourage the personal commitment of all staff to address data security as part of their skills. The purpose of this policy is to demonstrate our commitment to robust data protection processes and to show that we follow the 8 Principles of the Data Protection Act 1998 (the Act). 

1.       Personal data shall be processed fairly and lawfully.

2.       Personal data shall be obtained for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

3.       Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

4.       Personal data shall be accurate and, where necessary, kept up to date.

5.       Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

6.       Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act 1998.

7.       Appropriate technical and organisational measures shall be taken against unauthorised and unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8.       Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.


BFL is a professional fundraising organisation specialising in Payroll Giving Fundraising. Payroll Giving is a way of giving money to charity without paying tax on it. I It must be paid through the donor's employer's PAYE or from a pension (see the Taxes Act 1988, s.2020 and SI no 2211/1986 the Charitable Deductions (Approved Schemes) Regulations and SI no 759/2000 the Charitable Deductions (Approved Schemes) (Amendment) Regulations 2000).

1.       Policy Statement

1.1 Everyone has rights with regard to the way in which their personal data in handled. During the course of our activities we will collect, store and process personal data about charity donors, our customers, suppliers and other third parties, and we recognise that the correct and lawful treatment of this data will maintain confidence in the organisation and will provide for successful business operations.

1.2 Data users are obliged to comply with this policy when processing personal data on our behalf. Any breach of this policy may result in disciplinary action. 

2.       About this policy

2.1 The types of personal data that we may be required to handle include information about charity donors, current, past and prospective suppliers, customers, employers and others that we communicate with. The personal data, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in the Act and equivalent EU regulations. 

2.2 This policy and any other documents referred to in it sets out the basis on which we will process any personal data we collect from data subjects, or that is provided to us by data subjects or other sources. 

2.3 This policy may be amended at any time and posted on our website www.bellfundraising.co.uk 

2.4 This policy sets out rules on data protection and the legal conditions that must be satisfied when we obtain, handle, process, transfer and store personal data. 

2.5 Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to Helen Von Trotsenburg, hvont@ bellfundraising.co.uk 

3.       Definition of data security terms

3.1 Data is information which is stored electronically, on a computer, or in certain paper-based filing systems. 

3.2 Data subjects for the purpose of this policy include all living individuals about whom we hold personal data. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal information.

3.3 Personal data means data relating to a living individual who can be identified from that data (or from that data and other information in our possession). Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour.

3.4 Data controllers are the people who or organisations which determine the purposes for which, and the manner in which, any personal data is processed. They are responsible for establishing practices and policies in line with the Act. We are the data controller of all personal data used in our business for our own commercial purposes.

3.5 Data users are those of our employees whose work involves processing personal data. Data users must protect the data they handle in accordance with this data protection policy and any applicable data security procedures at all times.

3.6 Data processors include any person or organisation that is not a data user that processes personal data on our behalf and on our instructions. Employees of data controllers are excluded from this definition but it could include suppliers which handle personal data on our behalf. 

3.7 Processing is any activity that involves use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.

3.8 Sensitive personal data includes information about a person's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive personal data can only be processed under strict conditions, including a condition requiring the express permission of the person concerned.

4.       Fair and Lawful Processing

5.1 The Act is not intended to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of the data subject.

5.2 For personal data to be processed lawfully, they must be processed on the basis of one of the legal grounds set out in the Act. These include, among other things, the data subject's consent to the processing, or that the processing is necessary for the performance of a contract with the data subject, for the compliance with a legal obligation to which the data controller is subject, or for the legitimate interest of the data controller or the party to whom the data is disclosed. When sensitive personal data is being processed, additional conditions must be met. When processing personal data as data controllers in the course of our business, we will ensure that those requirements are met.

5.       Processing for Limited Purposes

6.1 In the course of processing the Payroll Giving Scheme, we collect and process personal data. This may include data we receive directly from the data subject (for example, by their completing forms or from their communications with us by mail, phone, email or otherwise) and data we receive from other sources (including, for example, their employers, the charity partners, sub-contractors in technical, payment and delivery services and others). 

6.2 We will only process personal data for the specific purposes disclosed to the data subject, for which activities we will have their express consent, or for any other purposes specifically permitted by the Act. We will disclose those purposes to each data subject when we first collect the data or as soon as possible thereafter. 

6.3 There may be times when making the data anonymous (where the recipient will not be able to associate information about your donation with your identity) will be more appropriate, or possible (at their request), and we will take all reasonable steps to ensure that this is done. 

6.       Notifying Data Subjects

7.1 If we collect personal data directly from data subjects, we will inform them about: (a) The purpose or purposes for which we intend to process that personal data. (b) The types of third parties, if any, with which we will share or to which we will disclose that personal data. (c) The means, if any, with which data subjects can limit our use and disclosure of their personal data. 

7.2 If we receive personal data about a data subject from other sources, we will provide the data subject with this information as soon as possible thereafter. 

7.3 We take every reasonable measure to ensure that you are not mislead about the collection and use of personal data and that no pressure or improper inducements are applied to or offered to data subjects when collecting data. 

7.4 We will also inform data subjects whose personal data we process that we are the data controller with regard to that data and how to contact us.

7.5 Any breach of our policy or other loss or disclosure of personal data will be reported to the Information Commissioner and to data subjects as soon as reasonably practical after discovery of the incident.

7.       Adequate, Relevant and Non-Excessive Processing 

We will only collect personal data to the extent that it is required for the specific purpose notified to the data subject. This means that your data will only be used to ensure and enable your donation to reach your chosen charities. Data will be passed to the appropriate government registered agencies (with whom their employers have contracted) to enable the donations to reach the chosen charities and for those charities to process the donation. This processing ensures that the payment achieves the criteria for Payroll Giving.

8.       Accurate Data

We will only collect and process sufficient information to enable the Payroll Giving process to be achieved. We will ensure that personal data we hold is accurate and kept up to date. We will check the accuracy of any personal data at the point of collection and at regular intervals afterwards. We will take all reasonable steps to destroy or amend inaccurate or out-of-date data. 

9.       Timely Processing

We will not keep personal data longer than is necessary for the purpose or purposes for which they were collected. We will take all reasonable steps to destroy, or erase from our systems, all data that is no longer required or at the latest 7 years from collection. We use one of the UK's leading data destruction service suppliers. 

10.    Processing in Line with Data Subject's Rights 

11.1 We will process all personal data in line with data subjects' rights, in particular their right to:

(a) Request access to any data held about them by a data controller (see also clause 15).

(b) Prevent the processing of their data for direct-marketing purposes.

(c) Ask to have inaccurate data amended (see also clause 9).

(d) Prevent processing that is likely to cause damage or distress to themselves or anyone else. 

11.    Data Security 

12.1 We will take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data. 

12.2 We will put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data will only be transferred to a data processing company if they are approved by us and agree to comply with these procedures and policies, or if they put in place adequate security measures. 

12.3 We will maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:

(a) Confidentiality means that only people who are authorised to use the data can access it; our employees have robust confidentiality obligations in their contracts of employment.

(b) Integrity means that personal data should be accurate and suitable for the purpose for which it is processed. (c) Availability means that authorised users should be able to access the data if they need it for authorised purposes. Personal data should therefore be stored on our, or our approved supplier's, central computer system instead of individual PCs. 

12.4 Security procedures include:

(a) Employee controls. All of our employees and the employees of any subcontractors who process data on our behalf are obliged to comply with our strict data security procedures.

(b) Secure lockable desks and cupboards. Desks and cupboards should be kept locked if they hold confidential information of any kind. (Personal information is always considered confidential.)

(c) Methods of disposal. Paper documents should be shredded. Digital storage devices should be physically destroyed when they are no longer required.

(d) Equipment. Data users must ensure that individual monitors do not show confidential information to passers-by and that they log off from their PC when it is left unattended.

(e) Training, our employees are regularly updated in privacy procedures. 

12.5 We monitor and take all reasonable steps to prevent malicious internet attacks, such as hacking or a distributed denial of service attack. 

12.    Transferring Personal Data to A Country Outside The EEA 

13.1 We may transfer any personal data we hold to a country outside the European Economic Area ("EEA"), provided that one of the following conditions applies:

 (a) The country to which the personal data are transferred ensures an adequate level of protection for the data subjects' rights and freedoms.

(b) The data subject has given his consent.

(c) The transfer is necessary for one of the reasons set out in the Act, including the performance of a contract between us and the data subject, or to protect the vital interests of the data subject.

 (d) The transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims.

(e) The transfer is authorised by the relevant data protection authority where we have adduced adequate safeguards with respect to the protection of the data subjects' privacy, their fundamental rights and freedoms, and the exercise of their rights. 

13.    Disclosure and Sharing of Personal Information 

13.1. We may share personal data we hold with third parties, subject to the data subjects consent, or any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.

13.2. We may also disclose personal data we hold to third parties: (a) In the event that we sell or buy any business or assets, in which case we may disclose personal data we hold to the prospective seller or buyer of such business or assets. (b) If we or substantially all of our assets are acquired by a third party, in which case personal data we hold will be one of the transferred assets. 

If we are under a duty to disclose or share a data subject's personal data in order to comply with any legal obligation, or in order to enforce or apply any contract with the data subject or other agreements; or to protect our rights, property, or safety of our employees, customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction. 

14.4 We may also share personal data we hold with our data processing company Bell Donor Management Ltd (BDM). We have a written agreement in place with this supplier, which obliges them to meet rigorous international standards of data privacy. BDM have been accredited ISO 27001:2013 by an independent auditor.

14.    Dealing with Subject Access Requests

1.       Data subjects must make a formal request for information we hold about them. This must be made in writing.

2.       When receiving telephone inquiries, we will only disclose personal data we hold on our systems if the following conditions are met: (a) We will check the caller's identity to make sure that information is only given to a person who is entitled to it. (b) We will suggest that the caller put their request in writing if we are not sure about the caller's identity and where their identity cannot be checked.

3.       Our employees will refer a request to their line manager for assistance in difficult situations. Employees should not be bullied into disclosing personal information.

4.       Changes to this Policy

We reserve the right to change this policy at any time. Where appropriate, we will notify data subjects of those changes by mail or email.