Privacy Policy

Privacy Notice

 

1. This privacy notice is supplied in compliance with the United Private Hire Drivers (UPHD)’s data protection obligations under the General Data Protection Regulations (GDPR).

2. The United Private Hire Drivers (UPHD) is the data controller. The UPHD’s contact information is:

Address: 102 Seymour Rd, Headley Down, Bordon GU35 8JU, UK

Phone: https://www.uphd.org/helpline

Email: office@uphd.org

‍Data specific email: office@uphd.org

Website: UPHD.org

3. The UPHD's Data Protection Team can be contacted at:

Address: 102 Seymour Rd, Headley Down, Bordon GU35 8JU, UK

Phone: https://www.uphd.org/helpline

Email: office@uphd.org

4. As a membership organisation which provides legal advice and representation, the UPHD gathers a fair amount of data. In addition to personal data pertaining to our members, we also gather data on our employees and volunteers, as well as on donors, supporters, and business contacts. Below we set out more information on the information gathered, and reasons for gathering.

 

5. Our mailing list is processed and controlled using MailerLite. For more information on how MailerLite processes your personal data and your data protection rights, please visit https://www.mailerlite.com/legal/privacy-policy

 

6. We use Memberstack to process your Direct Debit payments.More information on how Memberstack processes your personal data and your data protection rights, including your right to object, is available at https://www.memberstack.io/legal/privacy-policy

 

Your Data and How We Use It

As a membership organisation, which provides legal advice and representation, the UPHD gathers a fair amount of data. In addition to personal data pertaining to our members, we also gather data on our employees and volunteers, as well as on donors, supporters, and business contacts.Further information may be found in our Data Protection Policy.

Data Processing

The data processing will mainly take place in the United Kingdom and the EU. However some data processing may occur in the United States as this is where the cloud servers of some of our data processors are located.There is also a slight risk that processing occurs in other non-EU countries if an email account is accessed there. However, the UPHD discourages this.

 

Your Rights

You have a number of rights under the GDPR, as summarised below. More detail on all of these rights can be seen in the UPHD Data Protection Policy. It is important to note that as long as it is clear which right you are attempting to exercise, there is no precise wording in which your request needs to be put.

 

1. Right of Access. You have the right to access your personal data and supplementary information. If requested, your data will be provided to you within one month, save for exceptional circumstances. For more information on this right, see the UPHD Data Protection Policy.

2. Right to Rectification. You have the right to have your personal data rectified if it is inaccurate or incomplete. For more information on this right, see the UPHD Data Protection Policy.

 

3. Right to Erasure. You have the right, in certain circumstances, to request the deletion or removal of your personal data. For more information on this right, see the UPHD Data Protection Policy.

 

4. Right to Restrict Processing. You will have the right to‘block’ or suppress processing of your personal data in certain circumstances.For more information on this right, see the UPHD Data Protection Policy.

 

5. Right to Object. You have the right to object to the processing of your data in certain circumstances. These include if the processing is based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling), if your data is being used for direct marketing (including profiling) and if we are processing your data for the purposes of scientific/historical research and statistics. Your objection must be on grounds relating to your particular situation.

 

 

If you wish to exercise your right to object, your objection should be communicated to:

 

1. If you are an employee, to your line manager;

2. If you are a volunteer, to your main contact at UPHD;

3. If you are a member and the request relates to membership data, to the DPO (contact information above);

4. If you are a member and the data relates to a case you have or had with the Legal Department, to your caseworker;

5. For any other reason, or for more than one of the above,to the UPHD (contact information above).

 

If an objection is received, the UPHD will cease processing your data unless:

 

1. We can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms; or

2. The processing is for the establishment, exercise or defence of legal claims.

 

If you feel the UPHD has not processed your data in compliance with the law, or has in some other way breached your data protection rights, you can make a complaint to the Information Commissioner’s Office(ICO). The ICO’s contact details are:

 

1. Helpline: 0303 123 1113

2. Live chat: ico.org.uk/global/contact-us/live-chat

3. Email: casework@ico.org.uk

4. Website: ico.org.uk

 

GDPR Data Protection Policy

Data Protection Policy

 

What Data We Gather And Why

1. Data Protection And You

As a membership organisation which provides legal advice and representation, the UPHD gathers a fair amount of data. In addition to personal data on our members, we also gather data on our employees and volunteers, aswell as on donors and business contacts. Below we set out more information on the information gathered and reasons for gathering.

 

2. Membership Data

1. The UPHD maintains membership records for all members.The records include such things as the member's name, contact details, ban kinformation, and location. This information is provided by the members.

2. An individual's membership records are maintained by us throughout their membership and for six years post-membership.

3. The lawful basis for collecting this data is known as"Legitimate Interests" (GDPR Article 6(1)(f)). The legitimate interest we pursue is running a social enterprise not for profit whose primary purposes are providing support and representation for members, campaigning to improve working conditions and social enterprise activities.

4. The UPHD has conducted a Data Protection Impact Assessment (DPIA) and concluded that the above legal bases for processing membership data are appropriate. A copy of the DPIA can be provided to members upon request.

5. The UPHD engages data processors to assist with the processing of membership data. Types of processors include email servers such as gmail, Direct Debit payments and management using Memberstack, and other processors which facilitate communication with members, such as MailerLite. The UPHD reserves the right to engage other processors as and when is necessary to assist with the processing of membership data in furtherance of the legitimate aims identified above, and suitable information is provided in the privacy policy section above.

 

3. Casework Data

1. The UPHD maintains additional records for members who are seeking legal advice and/or representation with our Legal Department. The records include such things as extensive details related to their occupation or licencing and in many cases will include medical records. This information is provided mainly by the members though some may be provided by third parties involved in the member’s case.

2. An individual’s casework records are maintained by us during their case and for six years post-case.

3. The lawful basis for collecting this data is known as“Legitimate Interests” (GDPR Article 6(1)(f)). The legitimate interest we pursue is providing quality legal advice and representation to UPHD members.

4. The UPHD has conducted a Data Protection Impact Assessment (DPIA) and concluded that the above legal bases for processing casework data are appropriate. A copy of the DPIA can be provided to members upon request.

5. The UPHD engages data processors to assist with the processing of casework data. Types of processors include email servers such as gmail and electronic document storage such as Google Drive. The UPHD reserves the right to engage other processors as and when is necessary to assist with the processing of casework data in furtherance of the legitimate aims identified above.

4. Employee Data

1. The UPHD collects personal data on its employees so as to carry out its function as an employer. The records include such things as contact details, CVs, bank details, and employment records. This information is provided by the employees.

2. This data is maintained by us for two years or as long as is necessary for the defence of potential legal claims.

3. The lawful basis for collecting this data is known as“Legitimate Interests” (GDPR Article 6(1)(f)). The Legitimate interest we pursue is: being a fair employer which provides staff with all relevant statutory rights as well as terms and conditions above and beyond those required by statute.

4. The UPHD has conducted a Legitimate Interest Assessment(LIA) for this category of data processing and has concluded that legitimate interests is an appropriate lawful basis for the processing. The LIA can be provided to employees upon request.

5. The UPHD engages data processors to assist with the processing of employee data. Types of processors include email servers such as Gmail, electronic document storage such as Google Drive, and other processors which facilitate the UPHD’s role as an employer. The UPHD reserves the right to engage other processors as and when is necessary to assist with the processing of employee data in furtherance of the legitimate aims identified above.

 

5. Volunteer Data

1. The UPHD collects personal data on its volunteers so asto carry out its function as a voluntary/non-profit organisation which uses volunteers. The records include such things as contact details and CVs. This information is provided by the volunteers.

2. This data is maintained by us for six years after volunteering or as long as is necessary for the defense of potential legal claims.

3. The lawful basis for collecting this data is known as“Legitimate Interests” (GDPR Article 6(1)(f)). The legitimate interest we pursue is being a voluntary/non-profit organisation which depends on the help of volunteers to function.

4. The UPHD has conducted a Legitimate Interest Assessment(LIA) for this category of data processing and has concluded that legitimate interests is an appropriate lawful basis for the processing. The LIA can be provided to volunteers upon request.

5. The UPHD engages data processors to assist with the processing of volunteer data. Types of processors include email servers such as Gmail and electronic document storage such as Google Drive. The UPHD reserve sthe right to engage other processors as and when is necessary to assist with the processing of volunteer data in furtherance of the legitimate aims identified above.

 

6. Donor and Supporter Data

1. The UPHD collects personal data on donors and supporters so as to carry out fundraising activities and obtain support for campaigns and other initiatives. The data concerned are names and contact information. This information is provided by the donors, supporters, or a third party which assists in the fundraising or campaigning efforts.

2. This data is maintained by us indefinitely or until it is requested we delete it.

3. The lawful basis for collecting this data is known as“Legitimate Interests” (GDPR Article 6(1)(f)). The legitimate interest we pursue is to obtain donations and support from individuals in order to help finance the UPHD as a voluntary/non-profit organisation and support the UPHD as a campaigning organisation.

4. The UPHD has conducted a Legitimate Interest Assessment(LIA) for this category of data processing and has concluded that legitimate interests is an appropriate lawful basis for the processing. The LIA can be provided to donors and supporters upon request.

5. The UPHD engages data processors to assist with the processing of donor and supporter data. Types of processors include email servers such as gmail, electronic document storage such as Google Drive, and other processors which facilitate communication with donors and supporters,such as MailerLite. The UPHD reserves the right to engage other processors as and when is necessary to assist with the processing of donor and supporter data in furtherance of the legitimate aims identified above.

 

7. Business Contacts' Data

1. The UPHD collects personal data on business contacts so as to be able to liaise with other organisations to achieve its aims. The data concerned are names and contact information. This information is provided by the business contacts themselves, by third party mutual contacts, or is publicly available.

2. This data is maintained by us indefinitely or until it is requested we delete it.

3. The lawful basis for collecting this data is known as“Legitimate Interests” (GDPR Article 6(1)(f)). The legitimate interest we pursue is to have a network of like-minded organisations with whom the UPHD can work to achieve its aims.

4. The UPHD has conducted a Legitimate Interest Assessment(LIA) for this category of data processing and has concluded that legitimate interests is an appropriate lawful basis for the processing. The LIA can be provided to business contacts upon request.

5. The UPHD engages data processors to assist with the processing of business contacts’ data. Types of processors include email servers such as gmail, electronic document storage such as Google Drive, and other processors which facilitate communication with business contacts, such as MailerLite. The UPHD reserves the right to engage other processors as and when is necessary to assist with the processing of business contacts’ data in furtherance of the legitimate aims identified above.

 

Your Rights

1. Right of Access

1. You have the right to access your personal data and supplementary information. This will allow you to be aware of and verify the lawfulness of the UPHD’s processing of this data.

2. To request access to your personal data, please send your request to the UPHD (contact information below) and entitle the request:“Access to Personal Data”.

3. So as to ensure that your data is not accidentall disclosed to a third party, the UPHD will use reasonable means to verify your identity.

4. Once a request is received, your information will be provided to you free of charge, save for exceptional circumstances. However,the UPHD does reserve the right to charge a reasonable fee when a request is manifestly unfounded or excessive, particularly if it is repetitive. The UPHD may also charge a reasonable fee to comply with requests for further copies of the same information. The fee will be based on the administrative costs of providing the requested information.

5. Your information will be provided without delay and at the latest within one month of receipt, save for exceptional circumstances. If your requests are complex or numerous, the UPHD may extend the period for compliance by a further two months. However, if this is the case, we will contact you within one month of receipt of your request, in order to explain why the extension is necessary.

6. In the unusual event that for some legitimate reason the UPHD refuses to respond to a request, the UPHD will, without delay, and no later than one month from receiving the request, write to you to explain the rationale of the refusal and informing you of your right to complain to the Information Commissioner’s Office (ICO) and to a judicial remedy.

 

2. Right to Rectification

1. You have the right to have your personal data rectified if it is inaccurate or incomplete.

2. If the UPHD has disclosed the personal data in question to others, we will contact each recipient and inform them of the rectification unless this proves impossible or involves disproportionate effort. If requested, the UPHD will provide you with information about these recipients.

3. Once a request for rectification is received, the UPHD will comply within one month unless the request for rectification is complex,in which case the time period may be extended by a further two months.

4. In the unusual circumstance that the UPHD for some legitimate reason does not take action in response to a request for rectification, we will explain why, and will inform you of your right to complain to the ICO and to a judicial remedy.

5. Your request should be sent to:

1. If you are an employee, to your line manager;

2. If you are a volunteer, to your main contact at UPHD;

3. If you are a member and the request relates to membershipdata, to the DPO (contact information below);

4. If you are a member and the data relates to a case you have or had with the Legal Department, to your caseworker;

5. For any other reason, or for more than one of the above,to the UPHD (contact information below).

 

3. Right of Erasure

1. You have the right, in certain circumstances, to request the deletion or removal of your personal data where there is no compelling reason for its continued processing.

2. The right to erasure does not provide an absolute ‘right to be forgotten’. You have a right to have your personal data erased and to prevent processing in the following specific circumstances:

1. When your personal data is no longer needed in connection with the purpose for which it was originally collected/processed;

2. If you object to the processing of your data and it can be demonstrated that there is no overriding legitimate interest for continuing the processing;

3. If your data was unlawfully processed (ie. otherwise in breach of the GDPR); or

4. Your personal data has to be erased in order to comply with a legal obligation.

3. Your right of erasure is not limited to circumstances in which the processing of your data is causing you unwarranted and substantial damage or distress. However, if the processing does cause you damage or distress, this is likely to make the case for erasure stronger.

4. The UPHD may refuse your request for erasure if we are processing your data for any of the following reasons:

1. To exercise the right of freedom of expression and information;

2. For public health purposes in the public interest;

3. Archiving purposes in the public interest, scientific research, historical research, or statistical purposes; or

4. The exercise or defence of legal claims.

5. If your request for erasure is granted, and the UPHD has disclosed the data in question to others, we will contact each recipient and inform them of the erasure of the aforementioned personal data – unless this proves impossible or involves disproportionate effort. If requested, we will inform you about these recipients.

 

4. Right to Restrict Processing

1. You will have the right to ‘block’ or suppress the processing of your personal data in certain circumstances. When this right is engaged, the UPHD may elect to store your personal data, but we will not further process it. We will retain just enough information about you to ensure that the restriction is respected in future.

2. The UPHD will restrict the processing of your personal data in the following circumstances:

1. If you contest the accuracy of the personal data we will restrict processing until we have been able to verify that accuracy.

2. If you object to the processing of your personal data(more on which below) and the processing is necessary for the purpose of legitimate interests, the UPHD will restrict the processing of this data while we consider whether our legitimate grounds override yours.

3. If the processing of our data has been found to be unlawful and you prefer restriction to erasure, we will restrict processing of your data.

4. If the UPHD no longer needs your personal data but you require the data to establish, exercise or defend a legal claim, then we will restrict processing of your data.

3. If the UPHD has disclosed your personal data to others,we will contact each recipient and inform them of the restriction on the processing of the personal data- unless this proves impossible or involves a disproportionate effort. If requested, we will also inform you about these recipients.

4. If for some legitimate reason the UPHD decides to lift a restriction on processing, we will inform you of this.

 

5. Right to Object

1. You have the right to object to the processing of your data in certain circumstances. These include if the processing is based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling), if your data is being used for direct marketing (including profiling) and if we are processing your data for the purposes of scientific/historical research and statistics.Your objection must be on grounds relating to your particular situation.

2. If you wish to exercise your right to object, your objection should be communicated to:

1. If you are an employee, to your line manager;

2. If you are a volunteer, to your main contact at UPHD;

3. If you are a member and the request relates to membership data, to The DPO (contact information below);

4. If you are a member and the data relates to a case you have or had with the Legal Department, to your caseworker;

5. For any other reason, or for more than one of the above,to the UPHD (contact information below).

 

Data Protection Officer

1. The DPO’s role include:

1. To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws;

2. To monitor compliance with the GDPR and other dataprotection laws, including managing internal data protection activities, advise on data protection impact assessments, train staff and conduct internal audits;

3. To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers,etc.).

 

International Access

The UPHD strongly discourages its reps, officials,employees, or volunteers from transferring personal data held by the UPHD outside of the EU. In other words, accessing UPHD email, Google Drive, and other UPHD accounts is discouraged outside of the EU.

 

Personal Data Breaches

1. The UPHD will make all reasonable efforts to keep your data secure. However, there may be times when an accidental breach is unavoidable. This section of the policy outlines what actions the UPHD willtake if a breach does occur.

2. A personal data breach means a breach of security leadingt o the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data. For example, personal data breaches can include:

1. Access by an unauthorised third party;

2. Deliberate or accidental action (or inaction) by a controller or processor;

3. Sending personal data to an incorrect recipient;

4. Computing devices containing personal data being lost or stolen;

5. Alteration of personal data without permission; and

6. Loss of availability of personal data.

3. If a breach does occur, or if it’s possible a breach might have occurred, it must be reported immediately to the UPHD’s data protection team. The team can be contacted at:

1. Email: office@uphd.org          

2. Phone: https://www.uphd.org/helpline

4. If one of our processors becomes aware of a breach they must inform us without delay, and we will then follow the same steps as below.

5. Once aware of the breach a member of the team will immediately take steps to investigate the incident and ascertain whether or not the breach was a result of human error or a systemic issue as well as how are currence can be prevented- whether this is through better processes, further training or other corrective steps. All information related to the breach and corresponding investigation will be recorded.

6. However, within 72 hours of becoming aware of the breach,if feasible, the UPHD will establish- based on the information available to itat the time- the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then we will notify the Information Commissioner’s Office (ICO) of the breach. If a risk is unlikely then the incident will not be reported, however we will document this and the reasons for coming to the conclusion that reporting to the ICO was not necessary. It is important to highlight that this assessment will be carried out even if the investigation is not yet complete, due to the strict time limits on reporting breaches under the GDPR.

7. If the breach is likely to result in a high risk to the rights and freedoms of individuals, then the individuals concerned will be informed of the breach without delay.

 

Handling Membership Data

1. If you are an UPHD official who handles membership data you need to take all necessary precautions to ensure the data is kept safely and securely. If you have any doubts or questions on how to do this please contact the UPHD’s Data Protection Officer.

2. If you are transporting any physical copies of personal data - which is strongly advised as not to do - or hardware containing data,you need to be careful to always double check and make sure you have everything with you and do not accidentally leave behind in a public place personal data.

3. If you are an UPHD official, volunteer, or employee who handles membership or casework data, it is prohibited to use non-UPHD emails to transmit this data.

 

Press

The UPHD actively engages with the press in furtherance of its campaigns. If you are a member there may be times when you are asked to engage with the press. This will always be your choice and you will be asked tosign a consent form before any of your data is shared with the press. Ther ewill be no negative consequences for you should you choose not to engage.

 

Communication with Members

1. If you are an UPHD official, employee, or volunteer communicating with members via email, you must not reveal email addresses to recipients unless it is for the purpose of an organizing initiative where the UPHD is facilitating collaborative action among recipients. This should be the exception with email communications and members must be given the right to opt out.

2. Similarly, if you are emailing more than 30 members for standard communication you must use a provider such as MailerLite or similar,rather than BCC as the risk of CCing by accident is too great.

 

Contact Information

1. The UPHD’s contact information is:

1. Address: 102 Seymour Rd, Headley Down, Bordon GU35 8JU,UK

2. Phone: 01274 028707

3. Email: office@uphd.org

4. Email for data protection purposes:

5. Website: UPHD.org

2. The UPHD’s Data Protection Team can be contacted at:

1. Address: 102 Seymour Rd, Headley Down, Bordon GU35 8JU,UK

2. Phone: https://www.uphd.org/helpline

3. Email: office@uphd.org

 

Keeping this Policy Updated

1. If you have feedback on this policy or UPHD data protection practices, please email us at office@uphd.org

2. This policy will be kept under review and an updated version issued annually.