The John Muir Trust (hereafter referred to as the “Trust”) strives to comply with the very highest level of applicable laws and regulations relating to data privacy and security. The Trust is proud of its reputation as a fair and transparent processor and welcomes regulatory changes which seek to strengthen the protection of personal data. It is committed to protecting and respecting your privacy.
For the purposes of the Data Protection Act 1998, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and the GDPR, the data controller is the John Muir Trust of Tower House, Station Road, Pitlochry, PH16 5AN. The John Muir Trust is a registered Scottish Charity (SC002061) and also a company limited by guarantee (SC081620). The John Muir Trust is registered with the UK Data Protection Register under reference number Z7063675 (see www.ico.gov.uk)
• 1. How do we collect personal data?
• 2. What personal data do we collect?
• 3. Legal basis for the use of your data
• 4. Who else do we share your data with?
• 5. How is your data stored and for how long?
• 6. Your rights in relation to your data
• 7.0 Subject Access Requests
• 8.0 Under 18 year olds
• 9.0 Further information or complaints
• 10.0 Links to other policies
Data provided by you – Most of the personal data we collect is given freely by you when you become a supporter of the Trust whether that is as a member, donor, e-mail subscriber or in any other context. We collect this information from your membership request/renewal form, when you donate or buy products and when you participate in surveys, competitions or promotions. In the ordinary course of business we also collect information from related e-mail, written or telephone correspondence.
Data we collect about you – We receive automatic information every time you interact with our site, e-mails and on social media platforms. This includes:-
• Technical information, including the Internet Protocol (IP) address used to connect your computer or network to the Internet, browser type and version, time zone setting, browser plug-in types and versions, and operating system and platform; and
• Information regarding your visit, including the full Uniform Resource Locators (URL), download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs) and methods used to browse away from the page etc
• Cookies (see our cookies policy here www.johnmuirtrust.org.uk/cookies)
You can visit our website anonymously, although we cannot personalise your experience if you choose to do this.
We collect information you provide to us, which includes data you give when placing an order, becoming a member or donor or communicating with us in other ways. It can include:
• your name
• phone number
• email address
• date of birth
• dietary/medical information (e.g. when volunteering)
• credit/debit card details (note that we never store card data) and whether donations are gift aided.
• your personal views on an area of advocacy/campaign work
• when and how much you have donated to a particular cause.
If you choose not to disclose requested information, we may not be able to provide you with certain services.
If you purchase a John Muir Trust membership as a gift for someone or a family membership, your details and those of the recipients will be recorded along with your relationship to them.
If you purchase an Adopt an Acre gift for someone, your details and the details of the recipients will be recorded in order to fulfil the order.
If you work for us as a volunteer, contractor or member of staff then we may collect additional information about you (e.g. next of kin contact details, medical conditions). This information is retained for legal reasons, to protect us (including in the event of an insurance or legal claim) and for safeguarding purposes. We take extra care to ensure sensitive personal data (such as health information) is protected such as ensuring this is ensuring this is only accessed by the Director of Finance & Resources. Additional information is collected for job applicants such as career history, reference contact details.
The information we collect is safely stored in our database and/or locked cabinets with restricted access. We have a retention and destruction policy which details the length of time we will hold your data for which can be found at (www.johnmuirtrust.org/retention).
We predominantly rely on the following clauses as a legal basis for the collection and processing of your data:
Some of the personal data we collect and process is done with your consent. For example, we rely on consent when we send you a marketing email if your email subscription preferences indicate you are willing to receive such emails. You have the right to withdraw consent at any time. See more information about your rights to withdraw consent further down.
We also process data when it is in our legitimate interest to do so and when this interest is not overridden by your data protection rights (see further down for more information about your rights). These fall broadly into processing for business and administrative purposes:-
Business – Improve the service we provide to our supporters, to better understand and improve your interaction with our website, to prevent fraud and to determine the effectiveness of our campaigns.
Administrative – Processing of membership, donations, gift aid, and product orders and in the organisation of volunteer work parties/training events and Local Member’s Groups. In some cases we may also process data to:
• enter into, or perform, a contract with you
• comply with a legal duty
• protect your vital interests (ie to protect someone’s life).
Finally, the Trust may process your data to comply with our legal and regulatory obligations e.g. preventing, investigating crime or working with law enforcement agencies.
Occasionally, we conduct internal research on our supporters’ data to help us better understand them, and provide a better service. This may include using web analytics or other information to identify common characteristics, interests and preferences. We will also obtain similar research data through our Membership Research Panel activities which will further help to shape the ongoing activities of the Trust as the internal research does. Our research is conducted on an anonymised basis and so cannot be linked to an identifiable person.
Firstly and most importantly, the Trust will NEVER sell your data to a third party so that they may use it for their own purposes. We will never disclose your information outside of the Trust other than with your consent, as permitted or required by law or as necessary to protect the rights, property or safety of us or others. There will be instances where data has to be shared with third parties for regulatory purposes (audit, minimum wage, pension) or for outsourced business activities (processing direct debits, mailing fulfilment). In these instances, and particularly where the counterparty is a “processor” as defined by GDPR, the Trust ensures that the very highest standards of data security and privacy protection are upheld to protect not just the privacy of the data subject but also the reputation of the Trust.
In the event of a merger or acquisition, the data may transfer to the new entity.
The Trust does not share information outside the European Union.
We will retain your personal information for no longer than we need it to provide our services and/or products to you. Please see our separate retention policy for specifics on how long we hold different data types (www.johnmuirtrust.org/retention).
We try to keep personal information which we hold about you up to date, but if you think that we are holding information which is inaccurate then please contact us at (email@example.com) or by telephoning 01796 470080.
Data you provide is held securely on a restricted access database which is managed by a third party and protected by key security measures. Any data held on our internal servers is also restricted access and further protected by password security as required. We will comply with industry standards to protect against loss, misuse or alteration of personal data but can make no guarantee that it will not occur.
Unfortunately, the transmission of information via the Internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to the Trust; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
The Trust will systematically review and delete any data they hold for which there is no longer a reason to do so and will particularly adopt this approach with respect to sensitive personal data.
As noted in the section below, you have the right to have your data erased. In the event of such a request, the Trust will delete the information immediately unless there is an overriding reason for us to continue to hold that data which does not significantly impede your personal rights, such as an ongoing legal claim. The Trust will aim to action your request within 7 working days or, in the event of the above situation, advise you why it has not been possible for your request to be actioned within that time period.
You have the following rights with respect to your data:
• the right for confirmation as to whether or not we hold your personal data
• the right to obtain a copy of the information we hold (see section on Subject Access Requests below).
• the right to have inaccurate data corrected
• the right to have your data erased, except where it is necessary for us to continue to use the data for a lawful reason.
• the right to object to our processing of your data for marketing or profiling
• the right to receive your data in a common electronic format where we hold it either on the basis of your consent or for the performance of a contract.
The Trust has always placed great importance on data security, good processing practices and transparency. Therefore, the Trust will not charge you to make a subject access request but reserves the right to do so should that request become manifestly unfounded or repetitive.
The Trust has a subject access request policy and form which can be found at www.johnmuirtrust.org.uk/subjectaccess. Please read this policy, complete the form and return it to the Data Protection Officer, John Muir Trust, Tower House, Station Road, Pitlochry, PH16 5AN or e-mail to JMT.Privacy@johnmuirtrust.org
As noted above, there is no charge levied by the Trust in responding to the request unless it is manifestly unfounded or repetitive. The Trust are obliged to respond in writing within one month. This period can be extended by up to two months where the requests are onerous but we will confirm the need for the extension within the required one month period.
The safety of children is very important to us. No information should be submitted or posted to the Trust by children under the age of 13 without prior parental/guardian consent. If you are aged under 13, please ensure you obtain your parent/guardian’s consent before sending any personal information to this website. The Trust will never knowingly send marketing materials to under 18 year olds. If you would like to become a member of the Trust and are under 18, please specify this on your membership application form so we can be sure we adopt the best possible practice in relation to the use of young individual’s data.
If you feel your complaint has not been appropriately resolved, you have the right to lodge a complaint to the Information Commissioners’ Office via (www.ico.org.uk) .
Retention policy – www.johnmuirtrust.org/retention
Terms and conditions – www.johnmuirtrust.org/terms-conditions
Subject access request policy and form www.johnmuirtrust.org/subjectaccess
This policy was last updated 25 May 2018.