1. Background and purpose
2. How your data is collected
3. How your data is kept secure
4. Who has access to your data
5. How your data is processed
6. The basis on which we process your data
7. Data minimisation
8. Special category data
9. How LambethRef will communicate with you
10. How LambethRef protects children's privacy
11. Your rights and how you can affect the way we communicate with you
12. How to find out more or make a complaint
- Key references
1. Background and Purpose
LambethRef believes that its aims can only be achieved through local action involving local people. In order to build and maintain a lasting community of action and support, LambethRef collects data in order to inform you and others like you about what you can do to help achieve our collective aims, and to give you the opportunity to be more involved in bringing about the community and local government changes that LambethRef campaigns for. We may also use your information to inform our campaigning including to know what issues are important to you and your community. We take seriously our duty to keep your data secure. We have developed this policy so that you know what we do with your data.
This policy applies to:
These entities are collectively referred to as “LambethRef”, “we” and “us” in this document unless otherwise specified.
Personal Data: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (Information Commissioner's Office (ICO) definition)
Examples of personal data
Electoral registration number
Subscription / financial details
Date of birth and age (known and inferred)
Propensity to vote scores
Online identifier (e.g. IP address, cookie identifiers)
Attributes, opinions, and characteristics (known and inferred)
Under the legal requirements of the General Data Protection Regulation, (UK GDPR), requirements apply where personal data is to be processed wholly or partly by automated means OR processed in a way that forms part of or is intended to form part of a filing system. In reality, these conditions apply to most types of processing, including our own.
Data controller: controllers determine the purpose and means by which personal data is processed, are the main decision-makers, and exercise overall control over the processing of personal data and have the highest level of responsibility for their own compliance as well as being responsible for the compliance of their processors.
Joint controller: two or more controllers jointly determining the purposes and means of the processing of the same personal data.
Data processor: processors handle data on behalf of controllers and act on their behalf. They carry compliance responsibility in their own right for security, data breach notification, and accountability. Processors cannot take any overarching decisions about data such as what will be collected or how it will be used, only controllers can take these decisions.
For the purposes of political parties, campaign groups, candidates, and elected members, each of these is considered separate controllers regardless of the exact set up and type of legal entity formed and therefore a joint controller situation occurs.
1.3 Principles and Rights
LambethRef will ensure that the key principles and rights set out in the UK GDPR are upheld through the way we work where they are applicable to our work and will adopt a privacy by design approach.
The key principles set out by the UK GDPR are:
Lawfulness, fairness and transparency
Integrity and confidentiality (security)
The UK GDPR also provides the following rights for individuals:
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling
2. How your data is collected
2.1 Who collects your data
LambethRef is the controller of your data and is responsible for the collection and processing of your data. Members of the wider LambethRef organisation will sometimes act as representatives of LambethRef when collecting your data, and process your data on behalf of LambethRef.
LambethRef can be contacted via email@example.com
2.2 What data is collected
We may collect data from you through the following means and others:
Website subscription forms
Petitions and surveys
Membership and volunteer sign-ups
Cookies and IP addresses
The Electoral Register
In most circumstances we will only ask you for your name and contact details, and for your payment details if you are donating. Sometimes we ask for additional information about you and your views and interests and the activities you take part in, if this helps in campaigns or in keeping campaigns relevant to you.
Additional information we may ask you to provide may include geographic information (for example, your postcode and constituency), your willingness to volunteer, your date of birth, gender, ethnicity, employer and occupation, whether or not you are a member of a political party, trade union or other organisation, and whether or not you are a student.
If you donate to us, then your financial details will only ever be stored by third parties, such as Paypal, GoCardless, Stripe and by our banking service providers. We may also securely store details of when you made a payment, how much you paid and when and how much you intend to pay in the future. If you make payments using a cheque or cash, we will also securely store electronic records of these payments. If you donate more than £500, we will also maintain records of this in order to comply with our duties under the Political Parties Elections and Referendums Act 2000, this includes keeping records of multiple smaller donations from the same individual or organisation in case they amount to more than £500 in total.
We will also collect information such as your Internet Protocol (IP) address for monitoring and improving the effectiveness of our website services as well as its security.
2.3 Where we obtain your data from
In most cases, we will obtain your data directly from you, using an electronic or physical form, or verbally.
We may sometimes supplement your data with other publicly available information where we have your consent to do so, where it is necessary to do so in order to comply with a contract we have with you, one of our legal obligations or legitimate interests, or where you have given other organisations permission to share your data with us.
2.4 Electoral Register Information
We will, at times, make use of information held on the electoral register which includes names and addresses of individuals in our community who are registered to vote. This includes access to the marked register which indicates whether an individual voted in the last election, but not how they voted.
Only obtain and use the register in ways compatible with electoral law;
take steps to ensure the accuracy of the data.
We will request updated versions of the register on a regular basis. Using older versions risks writing to people who are no longer living in certain addresses or not taking account of other factors such as changes of name or individual wishes not to be on the register;
not share electoral register data with any other controllers;
and only share data with processors where allowed under electoral law.
In addition, even though we may have a legal entitlement to obtain and process electoral register data, we will still meet the requirement in UK GDPR to provide privacy information to those individuals.
3. How your data is kept secure
3.1 What LambethRef does to keep your data secure
We will use physical, electronic, and managerial procedures to help safeguard, prevent unauthorised access to your data, maintain data security, and correctly use your information. These include protecting your information using firewalls, password protection and, where appropriate, encryption.
We use Paypal and Stripe in order to process financial transactions. These services may process your financial details. Both of these services are registered with the Financial Conduct Authority and use advanced encryption technology in order to protect transactions and your data.
Where we use them to process your data, LambethRef will put in place agreements with third-party service providers to ensure that they take appropriate measures to ensure the security of your information.
Where necessary for their individual role with LambethRef, we will train our staff, volunteers, and contractors to understand data protection and to keep your data secure. We ensure that all individuals who have access to your data sign data protection agreements and non-disclosure agreements, which detail their duties to keep your data secure and not to disclose it to anyone else without our authorisation.
4. Who has access to your data
We will never sell your data but sometimes it is necessary to share your information, either within the wider LambethRef organisation, with other organisations or individuals who share our values and aims, with our service providers, or with data processors. Data is only ever shared where we have a lawful basis to do so.
4.1 Who we are likely to share data with:
The wider LambethRef organisation
Elected representatives who support LambethRef
Campaigners that support LambethRef
Service providers (including Nationbuilder, Paypal and GoCardless)
Financial organisations – such as credit card payment providers
Where we share data with the wider LambethRef organisation, we ensure that the recipient of the data signs an agreement that they will use the data only for the purposes for which it was provided and will take necessary measures to ensure its security.
In LambethRef, only those authorised to process your data can access it. We make sure that staff, volunteers and contractors see only the data that is necessary to perform their tasks.
4.2 Third Party Providers
In order to carry out our work we use tools at platforms from a range of third party providers including but not limited to:
From time to time we may need to share some of your data with other third party data processors (such as technology providers, website hosts, online systems). Where we do so we will have a data processing agreement with the third party, and where they are located outside the European Economic Area (EEA) we will ensure that they provide enough security and privacy to enable us to meet our legal obligations to you.
4.3 International Transfers of Data
In order to process your data for the purposes outlined below, we may need to transfer your data to countries or jurisdictions outside the EEA. In each case, we ensure that our suppliers provide adequate protection for the rights of data individuals in connection with the transfer of their personal data. Currently, we expect all suppliers to use a standard contractual clause approved by the European Union or be subject to Privacy Shield or an equivalient scheme in the United States.
5. How your data is processed
We have and collect data for use in LambethRef’s campaign and to build a lasting network of support and debate around the ideas it inspires.
5.1 Reasons we will process your data and contact you:
To inform you about our campaigns and campaigns we support
To let you know how you can help support and/or fund our campaigns and campaigns we support
To let you know how you can campaign with us and with campaigns we support
To let you know how you can volunteer with or otherwise support us
5.2 Other purposes for which we may process your data:
Complying with our legal obligations
Processing your donations
Answering your enquiries
Responding to complaints
Informing you of how you can participate internally in LambethRef organisation, decision making, campaigns, and general activities
The basis on which we process your data
We process your data on the following basis:
We process most of the data that we hold on the basis of consent, this can include your name and contact details, payment details and additional information about you and your views, interests and activities you take part in. Where we process your data on the basis of your consent, that processing of your data will be restricted to those types of processing for which we have received your consent.
LambethRef may have a contract with you. For example, if you join LambethRef as a member, then your agreement to its constitution amounts to a contract. If you are a member of LambethRef, then we will process your name and contact details, payment details and geographic information (such as your postcode and constituency) as well as details of your membership of political parties on the basis of your membership agreement, for the purposes of administering your membership, in order to check your membership status and eligibility for continued membership, in order to determine which benefits of membership you are eligible for and in order to inform you of these benefits.
If it is necessary for us to process your data in order to comply with any other contracts we may have with you, then when we enter into the contract with you we will inform you of this, as well as informing you of the types of processing that it will be necessary for us to carry out, the categories of data that we will process, and the purposes of our doing so.
6.3 Legal Obligation
We have various legal obligations, such as obligations to report donations under the Political Parties Elections and Referendums Act 2000. If you make a donation, then we will process your name, details of whether or not you are on the electoral roll, and details of when and how much you donationed on the basis of our legal obligations for the purposes of maintaining records of and reporting on regulated donations to us.
6.4 Legitimate Interest
LambethRef is a campaigning organisation that has a legitimate interest in producing and improving its political communications in a democratic society in order to build a lasting network of support and debate around the ideas that its campaign inspires. These communications are defined as “marketing” in the data protection legislation. We process your name, contact details and additional information about you, your views and interests, and activities you take part in on the basis of this legitimate interest, in order to improve these communications and help them reach you and people like you or reach people that they have not reached before.
When we share your data with other organisations or individuals who share our values and aims, we will rely on legitimate interest in circumstances where we haven’t sought your consent.
6.5 Public Task
LambethRef is committed to improving local politics through its activities, including better resident engagement with democracy and decision making processes; this falls under the lawful basis for processing personal data as it is a public task. This activity includes encouraging and supporting local residents to register to vote and fundraising to support our work. In order to fulfil our commitment to improving democratic engagement we may sometimes need to process your personal data such as your name, address, and other contact information.
6.6 Vital Interest
We may disclose your information where we believe it is necessary to investigate, prevent, or take action regarding potential violations of our policies, suspected fraud, situations involving potential threats to the safety of any person and illegal activities, or as evidence in litigation in which we are involved.
7. Data Minimisation
When LambethRef processes personal data, this will be limited to essential information only and done so only when it is absolutely necessary. This means that data processing will be done in a targeted and proportionate way that is specific to us achieving our goals. Wherever possible, LambethRef will set out to identify alternative means to achieve the same goals without requiring personal data to be collected in accordance with the requirements of the ICO.
Example: if a candidate wishes to leaflet an entire housing block or estate they have two choices:
Deliver a leaflet to every household in the block/ estate
Use the Electoral Roll information to address leaflets targeting individual households
ICO guidance means that approach 1 should be used as it requires the least processing of personal data to achieve the same goal.
As part of our commitment to data minimisation, we will only keep information for the period of time we are required to by law, or for as long as we are actively using that information.
8. Special Category Data
Special category data use is restricted by the UK GDPR and the Data Protection Act 2018 (DPA) and can only be used in special circumstances and must always be processed fairly. Special category data includes sensitive information such as a person’s political opinions. Using special category data to target individuals can be intrusive and discriminatory and LambethRef will not collect, process or otherwise use such data other than to maintain a list of members and supporters.
9. How LambethRef Will Communicate with You
As well as the UK GDPR, LambethRef must also comply with the Privacy and Electronic Communications Regulations 2003 (PERC).
9.1 Cold Calling
For cold calling (by telephone), we will always screen telephone numbers against the Telephone Preference Service to ensure that numbers belonging to individuals who have opted out of receiving marketing and other such telephone calls are not cold called.
9.2 Direct Marketing
For any direct “marketing” communications about our campaigning we will only contact you via email, text, or other electronic messaging services if we have your permission to do so in advance. We won’t contact you via any of these means to ask for this permission as we require your active consent before we begin sending you marketing communications.
We may occasionally send you campaigning materials through the post or telephone you without your consent if in the circumstances we have a clear legitimate interest to do so. We won’t ask you to forward emails or other messages to people we don’t have consent from. You may also see campaigning online and on some social media sites if you have interacted with us before.
9.3 Responding to queries
To respond to your queries we will contact you either via the medium you used to contact us or by a medium you have indicated you would like us to respond with. If it is necessary to contact you for any administrative purposes then we will usually try to email, text or call you, usually in that order, depending on what contact details we have available for you.
10. How LambethRef Protects Children’s privacy
No information should be submitted or posted to LambethRef by children under the age of 13 without prior consent of their parent or guardian. If we become aware that an under 13 has subscribed to receive information from us we will remove this subscription to ensure no further communication occurs.
11. Your rights and how you can affect the way we communicate with you
You have a number of rights under data protection law. We’ve provided some basic information about these here. Further details can be found from the Information Commissioner's Office (ICO) (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-UK GDPR/individual-rights/).
Right to be Informed
You have the right to be informed about how we use your personal data and under what lawful basis we process it. We provide this information in this policy however if you would like more information please contact firstname.lastname@example.org .
Right to access your information
You have a right to ask us to send a copy of all your personal data that we hold about you (subject to some exceptions). This is called a ‘subject access request’. You can make this request by contacting email@example.com .
Right to object to us processing your information
You have a right to object to us processing any of your personal data where we are relying on legitimate interest as the lawful basis for processing. You also have the right to withdraw your consent from our processing that requires it (e.g. our email communications). Every electronic communication we send directly to you will include an opt out options and you can also ask to opt out be emailing firstname.lastname@example.org.
Right to ask us not to market to you
You have the right to opt out of any marketing and personally addressed direct mailings we send you. Electronic communications will include opt-out links to ‘unsubscribe’, for other media please email email@example.com.
Right to correct inaccurate data
You have the right to ask us to correct inaccurate data we hold about you. If you provide us with new data, we will update our records as soon as possible providing we are satisfied that the information is accurate. Email firstname.lastname@example.org to request an update for any service that you cannot self-update.
Right to have your data erased
You have a right to request that we delete your personal data in some circumstances. For example, if we have processed data unlawfully or if we n longer require the data collected for the original purpose. Contact email@example.com to request data erasure where you cannot self-erase.
Right to have processing of your data restricted
You can request that we restrict processing your personal data in some circumstances. For example, if you believe personal data is inaccurate and we need to look into the inaccuracy or, if we no longer need the data but you require us to keep it to exercise your own legal rights. Restricting your personal data means we store your data but no longer use it for any further processing unless you consent to us doing so or there is a legal basis to do so such as in a legal claim or to protect a third party or the public.
12. How to find out more or make a complaint
You can contact us with general enquiries by emailing firstname.lastname@example.org subject: “UK GDPR enquiry”.
If you would like to make a complaint to us about how your data is processed please contact email@example.com and set out the nature of the complaint.
You also have a right to make a complaint to the Information Commissioner’s Office (ICO). Information on how you can do so is available from the ICO..
We will normally need to ask you for proof of your identity before we can respond to a request to exercise any of your data rights and d we may need to ask you for more information, for example to help us to locate the personal data that your request relates to.
ICO’s ‘Guidance on Political Campaigning: Draft Framework Code for Consultation’
What are cookies, web beacons and similar technologies?
These technologies are essentially small data files placed on your computer, tablet, mobile phone or other device (“collectively, a “device”) that allows us to record information when you visit or interact with our website, social media sites, or other online services. Though often these technologies are generically referred to as “Cookies,” each functions slightly differently, and is better explained below:
Cookies are small (often encrypted) text files placed in the memory of your browser or device when you visit a website or view a message. Cookies allow a website to recognize a particular device or browser. There are several types of cookies:
Session cookies expire at the end of your browser session and allow us to link your actions during that particular browser session.
Persistent cookies are stored on your device in between browser sessions, allowing us to remember your preferences or actions across multiple sites.
First-party cookies are those set by a website that is being visited by the user at the time in order to preserve your settings (e.g., while on our site).
Third-party cookies are placed in your browser by a website, or domain, that is not the website or domain that you are currently visiting. If a user visits a website and another entity sets a cookie through that website this would be a third-party cookie.
Preventing your browser from accepting 1st party cookies will prevent the placement of some cookies that are classified as “Essential”.
A web beacon (also called “tracking pixels” or “image tags”) is a small file (most often a transparent, 1x1 GIF file) that is loaded on our web pages. These pixels may work in concert with cookies to collect information about your visit, your web browser/device, browsing activity, or onsite behavior and provide that information to service providers. Pixels are most commonly used to collect anonymous traffic metrics (page visits, button clicks, order completion) used to analyze site performance.
A script is a small piece of website code placed on our websites to power customer service tools like live chat, allow for the delivery of video tutorials in our help section, and allow us to provide interactive experiences to visitors. They are also used to collect data that we use for website analytics, or to provide data on the effectiveness of our advertising.
Technologies that store information in your browser or device utilizing local shared objects or local storage, such as flash cookies, HTML 5 cookies, and other web application software methods. These technologies can operate across all of your browsers. In some instances, these technologies may not be fully managed by your browser and may require management directly through your installed applications or device. We do not use these technologies for storing information to target advertising to you on or off our sites.
What technologies do we use and why?
Our cookies, web beacons and similar technologies serve various purposes, but generally they (1) are necessary or essential to the functioning of our sites, services, applications, tools or messaging, (2) help us improve the performance of or provide you extra functionality of the same, (3) help us to serve relevant and targeted advertisements, or (4) allow us to offer support tools that you utilize to interact with our care guides:
Strictly Necessary or Essential: "Strictly necessary" or “essential” cookies, web beacons and similar technologies let you move around the website and use essential features like secure areas and shopping baskets. Without these technologies, services you have asked for cannot be provided. Please note that these technologies do not gather any information about you that could be used for marketing or remembering where you've been on the internet. Accepting these technologies is a condition of using our sites, services, applications, tools or messaging, so if you utilize tools that might prevent these from loading, we can't guarantee your use or how the security therein will perform during your visit.
Performance: Performance technologies may include first or third-party cookies, web beacons/pixels, and scripts placed in order to gather information about how you use our website (pages you visit, if you experience any errors, load times). These cookies do not collect any information that could identify you and are only used to help us improve how our website works, understand the interests of our users, and measure how effective our content is by providing anonymous statistics and data regarding how our website is used.
Advertising: Advertising technology may include first or third-party cookies, web beacons/pixels, and scripts placed in order to gather information on the effectiveness of our marketing efforts, deliver personalized content, or to generate data that allows for the delivery of advertising relevant to your specific interests on our sites, as well as third-party websites. We also utilize 3rd party service providers to assist us in delivering on the same functions, which means that our authorized service providers may also place cookies, web beacons and similar technologies on your device via our services (first and third party cookies). They may also collect information that helps them identify your device, such as IP address, or other unique or device identifiers.
Support: Support technologies may include first or third-party cookies, web beacons / pixels, and scripts placed in order to provide tools for you to interact with our customer support teams. This technology allows us to provide chat services, gather customer feedback, and other tools used to support our visitors. Data collected for these purposes is never used for marketing or advertising purposes.
How to manage, control and delete these technologies
You may manage certain cookies, web beacons and similar technologies we place.
Internet browsers allow you to change your cookie settings. These settings are usually found in the 'options' or 'preferences' menu of your internet browser. In order to understand these settings, the following links may be helpful. Otherwise you should use the 'Help' option in your internet browser for more details.
Cookie settings in Internet Explorer
Cookie settings in Firefox
Cookie settings in Chrome
Cookie settings in Safari
If you wish to withdraw your consent at any time, you will need to delete your cookies using your internet browser settings.
More information about cookies
Useful information about cookies, including information about deleting or blocking cookies, can be found at: https://www.allaboutcookies.org
A guide to behavioral advertising and online privacy has been produced by the internet advertising industry which can be found at: https://www.youronlinechoices.com
The UK Information Commissioner's Office (ICO) cookie guide can be found on the ICO website: https://ico.org.uk/your-data-matters/online/cookies/y