The Autism Directory
We are The Autism Directory, an England and Wales charitable company limited by guarantee (with company number 7373840), charity number 1143855.
We take our duty to process your personal data very seriously. This policy explains how we collect, manage, use and protect your personal data. Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by the General Data Protection Regulation (the “GDPR”).
If you would like more information or would like to change the way we communicate with you, please contact us here:
Personal information is collected directly from you when you interact with The Autism Directory, for example signing up to a campaign action, enquiring about an event, participating in an event, registering as a volunteer or ambassador, signing up to our newsletter, calling our helpline, purchasing a product, making a donation or otherwise communicate with us. Information may be collected in person, over the phone, online, on paper or by SMS.
The information we collect will typically include:
Certain types of personal information are in a special category under data protection laws, as they are considered to be more sensitive. Examples of this type of sensitive data would be information about health (including diagnosis of autism), race, religious beliefs, political views, trade union membership, sex life or sexuality or genetic/biometric information.
We only collect this type of information to the extent that there is a clear reason for us to do so, for example asking for health information if you are taking part in a sporting event, or where we ask for information for the purpose of providing appropriate facilities or support. We will also collect this type of information if you make it public or volunteer it to us.
Wherever it is practical for us to do so, we will make why we are collecting this type of information clear and what it will be used for.
We may also receive information about you from other sources, as explained below.
The Autism Directory complies with its obligations under the GDPR by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
We collect this information in order to process your requests and to also keep in touch with you about The Autism Directory’s work. Examples include:
Certain third party organisations collect data on our behalf as well as for their own use. We may receive your personal details from third party organisations for our marketing purposes where you have consented for this information to be shared.
Third party organisations we currently receive data from are JustGiving, Virgin Money Giving, BT MyDonate, certain Event companiesand Eventbrite. These organisations will have their own data protection and privacy policies which you should be aware of before signing up.
We may also disclose or use personal information if required to do so by law and may use external data for the purposes of fraud prevention, for example to comply with money laundering regulations, or otherwise to protect the rights, property or safety of individuals.
Your information may be used to ensure that The Autism Directory complies with the Fundraising Regulator’s Code of Fundraising Practice, which stipulates that we must take steps to assess and manage risks to our work and reputation with regard to certain levels of donation. More details can be found at www.fundraisingregulator.org.uk.
Data protection laws mean that each use we make of personal information must have a “legal basis”. The relevant legal bases are set out in the General Data Protection Regulation (EU Regulation 2016/679) and in current UK data protection legislation.
Consent is where we ask you if we can use your information in a certain way, and you agree to this (for example when we send you marketing material via post, phone, text or e-mail). Where we use your information for a purpose based on consent, you have the right to withdraw consent for any future use of your information for this purpose at any time.
We have a basis to use your personal information where we need to do so to comply with one of our legal or regulatory obligations. For example, in some cases we may need to share your information with our various regulators such as the Charity Commission or Fundraising Regulator, or to use information we collect about you for due diligence or ethical screening purposes.
Performance of a contract / take steps at your request to prepare for entry into a contract
We have a basis to use your personal information where we are entering into a contract with you or performing our obligations under that contract. Examples of this would be if you are buying something from us (for instance some branded merchandise or, in some cases, an event place), applying to work/volunteer with us, or being funded to undertake any work or activity.
We have a basis to use your personal information where it is necessary for us to protect life or health. For instance if there were to be an emergency impacting individuals at one of our events, or a safeguarding issue which required us to contact people unexpectedly or share their information with emergency services.
We have a basis to use your personal information if it is reasonably necessary for us (or others) to do so and in our/their “legitimate interests” (provided that what the information is used for is fair and does not unduly impact your rights).
We consider our legitimate interests to include all of the day-to-day activities The Autism Directory carries out with personal information. Some examples not mentioned under the other bases above where we are relying on legitimate interests are:
We only rely on legitimate interests where we consider that any potential impact on you (positive and negative), how intrusive it is from a privacy perspective and your rights under data protection laws do not override our (or others’) interests in us using your information in this way.
When we use sensitive personal information we require an additional legal basis to do so under data protection laws, so will either do so on the basis of your explicit consent or another route available to us at law for using this type of information (for example if you have made the information manifestly public, we need to process it for employment, social security or social protection law purposes, your vital interests, or, in some cases, if it is in the public interest for us to do so).
The Autism Directory takes the care of your data seriously and undertakes to protect your personal information in a range of ways including secure servers, firewalls and SSLencryption.
We follow payment card industry (PCI) security compliance guidelines when processing credit card payments and any personal information transferred between locations will be both encrypted and password protected. Unfortunately, the transmission of information using the internet is not completely secure. Although we will do our best to protect your personal data sent to us this way, we cannot guarantee the security of data transmitted to our site.
We will retain your information for as long as you have an active relationship with The Autism Directory. If you cease to have an active relationship with us or request to receive no further contact, we will retain some basic information in order to avoid sending you unwanted materials in the future.
In some cases we are required to keep some personal information for tax or health and safety purposes as well as records of your interactions with us. We have specific criteria for these cases and for how long we must retain your information.
The Autism Directory is aware that countries outside the European Economic Area have differing approaches to data privacy laws, and that enforcement may not be as robust as it is within Europe’s borders.
Organisations we work with who process data in the USA have verified their data processing standards meet the EU-US Privacy Shield, which sets out clear safeguards and transparency responsibilities for US-based organisations processing data from EU citizens.
Unless subject to an exemption you have the following rights with respect to your personal data:
To request an information access report which details the information we hold about you, please send your request in writing to the The Autism Directory Data Protection Officer at the following address:
Data Protection Officer
Unit 21 Business Development Centre
Treforest Industrial Estate
We aim to issue an initial response to all enquiries within five working days, and will offer a full response to all information access requests within thirty working days of receipt. The Autism Directory will provide a copy of this information free of charge.
If we wish to use your personal data for a new purpose, not covered by this GDPR notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
This policy was last updated in May 2018.
The Autism Directory reserve the right to make alterations from time to time. Please check our website from time to time for the latest version.