Version Date: January 2021
We understand that the privacy of all of our course providers, donors, suppliers, volunteers and course candidates, is important to them and that they care about how their personal data is used. In this Privacy Notice, we refer to them all of those individuals as “you” for convenience.
We respect and value your privacy and will only collect, hold, use, or share your personal data in ways that are described here, and in a way that is consistent with our obligations and your legal rights.
Information about us
National Navigation Award Scheme (NNAS) is a registered charity no: SC039201 and is a company limited by guarantee registered in Scotland under no. SC320350 whose registered address is: Office 17 Stirling Enterprise Park, Springbank Road, Stirling, Stirlingshire, Scotland, FK7 7RP.
What does this Notice cover?
This Privacy Notice explains the types of your personal data that we collect, how it is collected, how it is held, how we use it, and how it is processed. It also explains your rights under data protection legislation relating to your personal data. Further information about your rights can also be obtained from the Information Commissioner’s Office or your local Citizens Advice Bureau.
What is “personal data”?
Personal data is any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. Personal data is, in simpler terms, any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers. The personal data that we collect and use as a data controller is set out in paragraph 5 below.
We consider that we are a data controller when we deal with course providers, donors, suppliers, volunteers at all times however, we only act as a data controller with respect to the personal data of course candidates where a course candidate or potential course candidate contacts us directly (e.g. by phone or via the website) or we are dealing with a complaint involving the course candidate in accordance with the NNAS complaints policy.
In relation to other matters concerning a course candidate, including where we contact the course candidate for feedback on a course provided to them under the awards (by a course provider) we are a data processor and the course candidate is referred to the privacy notice of the course provider you have selected for delivery of the course and also the Candidate Information Notice which can be found in our Provider Terms.
In relation to your use of any candidate management system (CMS) we may use and allow you access to as a course provider, we are a data processor (and further the CMS provider, currently Tahdah Verified Limited) is a sub-processor). Please see the Provider Terms or the data processing provisions applicable to this relationship.
What are my rights?
Under the data protection legislation, you have the following rights, which we will always work to uphold. You have the right to:
- be informed about how we process your personal data;
- access and be given a copy of the personal data we hold about you. (See paragraph 10 below about this);
- require us to correct any personal data that we hold about you if any of it is inaccurate or incomplete;
- be forgotten: in certain circumstances you have a right to have your personal data erased from our records;
- restrict (i.e. prevent) the processing of your personal data;
- object to the way we process your personal data (e.g. for direct marketing);
- withdraw consent: if we are relying on your consent as the legal basis for using your personal data, you are free to withdraw that consent at any time;
- data portability: the right in certain circumstances to have us transfer your personal data to another organisation; and
- not be subject to a decision based solely on automated processing (including profiling) which produces legal effects on you. We do not use your personal data in this way.
As to how to contact us for more information about our use of your personal data or exercising your rights as outlined above, see paragraph 11 below.
It is important that your personal data is kept accurate and up-to-date. If any of the personal data we hold about you changes, please keep us informed as long as we have that data.
If you wish to make a complaint about our use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office but please contact us first (see paragraph 11 below) so that we might try to resolve your concerns ourselves.
What personal data do we collect and how?
We may collect and hold some or all of the personal data set out below, using the methods set out there.
When we act as a Provider of workshops and courses, where the Candidate is under 18 years a parent’s email will be collected. We will send the parent this Privacy Notice which is applicable to the processing of data and copy them into any further correspondence.
|Data collected||How we collect the data|
|Identity Data.||When you complete a registration form to apply / renew course provider status / contact us directly/ agree to provide services or goods to us / when we manage a complaint/ if you make a donation and provide this information to us.|
|Contact Data.||When you complete a registration form to apply / renew course provider status / contact us directly/ agree to provide services or goods to us / when we manage a complaint / if you make a donation and provide this information to us.|
When you purchase goods via the provider shop/ payment of annual fees/ if you make donation and provide this information to us.
Where a Provider has chosen to use the online booking system provided by Tahdah, you are required to enter in bank details.
|Medical Data (special category data) as relevant to your participation in an activity||By completion of a health form before you attend a course or workshop.|
How do you use my personal data?
Under UK data protection legislation, we must always have a lawful basis for using personal data. The following table describes how we may use your personal data, and our lawful bases for doing so:
|What we do||What data we use||Our lawful basis|
|Administering our charity||All of the above as appropriate.||Legitimate interests.|
|Managing our relationship with you, e.g. as a volunteer, course provider, supplier/ managing payments / keeping the CMS up to date with course provider information||All of the above as appropriate.||Contract: for the performance of the provision of services to you / by registering as a course provider and payment of annual fees you have entered into a contractual relationship with us.|
|Communicating with you, including where you enquire about us, providers, the awards, volunteering, events/ as part of a complaint/feedback in respect of a course you have attended.||Identity and Contact Data||Legitimate interests: it is necessary for us to read the communication so we may respond in the way you would expect.|
|Receiving a donation from you and claiming Gift Aid on your donations.||Identity and Contact Data.||Legitimate interests; this is necessary for us to fulfil your intention of donating money.|
|Provide you with information about awards, revisions to awards, updates, information about NNAS generally (this is not direct marketing)||Identity and Contact Data.||Legitimate interests / Contractual purpose. We will only send such material to course providers and this is necessary to keep you informed about changes to policies that affect you and also to ensure that you get the most out of being a course provider.|
|To keep you safe while undertaking an activity or course run by NNAS or ensuring that your medical needs can be met||Medical data||Explicit consent: we will provide you with the opportunity to provide consent and how you can withdraw consent at the point that the data is collected.|
We will only use your personal data for the purpose(s) for which it was originally collected unless we reasonably believe that another purpose is compatible with that or those original purpose(s) and need to use your personal data for that purpose. If we do use your personal data in this way and you wish us to explain how the new purpose is compatible with the original, please contact us using the details in paragraph 11 below.
If we need to use your personal data for a purpose that is unrelated to, or incompatible with, the purpose(s) for which it was originally collected, we will inform you and explain the legal basis which allows us to do so.
In some circumstances, where permitted or required by law, we may process your personal data without your knowledge or consent. This will only be done within the bounds of the data protection legislation and your legal rights.
How long will you keep my personal data?
We will not keep your personal data for any longer than is necessary in light of the reason(s) for which it was first collected and this is usually the later of 7 years from the date we collected it 7 years from the data we no longer have any dealings with you.
Data included in the CMS is deleted after 40 years by the CMS provider – see CMS privacy notice for more information [Tahdah privacy notice].
How and where do you store or transfer my personal data?
Save for the use of Google Drive for administrative purposes (where google servers hence processing may be located globally) we will only store or transfer your personal data within the European Economic Area (the “EEA”).
In respect of Google Drive the limits of our subscription do not allow us to mandate to Google that personal data is not transferred outside of the EEA. However, we have entered into Google’s standard data processing agreements and contract clauses to ensure that ICO recognised adequate protection is in place.
Do you share my personal data?
We will not share any of your personal data with any third parties for any purposes, subject to the following exceptions.
If we merge any or all of our organisation or assets, your personal data may be transferred to another charity. Any such new owner of our charity may continue to use your personal data in the same way(s) that we have used it as specified in this Privacy Notice.
In some limited circumstances, we may be legally required to share certain personal data, which might include yours, if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority.
We have set out above that we use the CMS to administer parts of the course provider services to you. In doing so we have taken steps to ensure that your personal data is handled safely, securely, and in accordance with your rights, our obligations, and the third party’s obligations under the law.
How can I access my personal data?
If you want to know what personal data we hold about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held). This is known as a subject access request (“SAR”).
All SARS should be made in writing and sent to the email or postal address shown in paragraph 11. There is not normally any charge for a SAR. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding.
We will respond to your SAR in accordance with the law.
How do I contact you?
To contact us about anything to do with your personal data and data protection, including to make a SAR, please contact the Data Protection Representative.
Email address: firstname.lastname@example.org
Telephone number: 01786 451307
Postal Address: 17 Stirling Enterprise Park, Stirling, FK7 7RP.
Changes to this Privacy Notice
We may change this Privacy Notice from time to time.