Data protection legislation has changed. The new General Data Protection Regulations (GDPR) came into effect from 25th May 2018. And supersede the Data Protection Act 1998. Under GDPR rules we are required to let you know how we process your personal information by way of a Privacy Notice.
Personal information we collect and use
Outlined below are details on how we gather and process personal data, and what safeguards are in place in accordance with this Notice, in compliance with the relevant data protection regulations and laws.
Personal data is defined in Article 4(1) of the GDPR:
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that data subject.
It is not personal data unless it ‘relates to’ the individual.
This notice explains how and why Merton Community Transport uses personal information from its affiliated organisations and affiliated individual members who use its services (clients).
It is regularly reviewed and updated in line with the services we deliver and the suppliers that we use. The date that it was last modified is at the end of this notice. We recommend that you check our website periodically for any changes made to this Privacy Notice. If we make any significant changes that could affect you, we will send you a notification.
When we refer to “we”, “us”, or MCT in this notice we are referring to Merton Community Transport (A Company limited by guarantee, Registration Number 3571884). Also a Registered Charity, Registered Number 1073312).
We are listed on the Information Commissioner’s Office website www.ico.org.uk register of data controllers under Registration Number ZA219533. The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals
In this Privacy Notice, we refer to the term ‘personal information’ to mean any information from which you can be identified. This might include your name, your home address, your email contact details, or your telephone number. Personal information does not include information where your identity has been removed (i.e. anonymous data).
We use the term special categories of personal information to mean information about your ethnic origin, your religious beliefs and/or your health.
- Personal information we collect and its use for:
- 1 Personalised Transport Service
We provide a range of transport services to affiliated individual members of Merton Community Transport. This section of our privacy notice explains how we collect and use personal information from people who use our Personalised Transport Service, Happy Shopper Service & Minibus Service.
When you contact us about these services, we will collect some personal information from you, for example:
- Date of birth
- Email address
- Telephone number(s)
- Home address
- Credit card details
(This list is not exhaustive).
During the course of providing these services to you, we may also need to collect additional information about you and/or any other individuals you tell us about (for example emergency contact details, payment information and/or proof of ID – this list is not exhaustive).
We will only collect and use your personal information in this way if:
- it is necessary to enter into, or perform, a contract with you; or
- if we are satisfied that we have a legitimate interest to record and retain this information for the purposes of delivering our services to you.
Depending on the nature of the services we provide to you, we may also ask you to give us special categories of personal information about you (for example, information about your health or ethnicity). We will collect and use this kind of information:
- if we have your explicit consent; or
- for equalities monitoring purposes.
We use a third-party, Shaunsoft Community Transport Software, to supply and support our community transport booking system. For more information, please review Shaunsoft’s privacy notice.
2..2 Group Transport Services
When schools, local authorities or organisations contact us to provide group transport services, the school/local authorities may provide us with personal information about the children who will be using our services each day. This will include personal information (names, addresses, dates of birth, and emergency contact details). Where relevant and necessary, we may also receive information about ethnic origin, medical needs, health conditions, mobility issues, language or communication requirements and/or disabilities. In this regard, we will be acting as a data processor on behalf of the school or local authority and it is the responsibility of the contracting body to ensure that it has appropriate consents or authorisations to transfer this information to us.
We will share this information with our drivers for the purposes of delivering the home to school transport services and we will keep this information on record to comply with safeguarding best practice (see ‘Data Retention’ below). We are satisfied that we have a legitimate interest to collect, use and retain this information for the purposes of delivering our home to school transport services.
2.3 Group Transport Services Affiliated Members
If you register with us as a charity, community group or voluntary organisation in order to benefit from minibus services (with or without a driver), we will collect and record personal contact information for individual(s) at the organisation (such as name, address, email contact details and telephone number).
We will only collect and use personal information in this way if:
- It is necessary to enter into, or perform, a contract with you; or
- If we are satisfied that we have a legitimate interest to record and retain this information for the purposes of delivering our services to you.
If we provide minibus services with a driver we may also obtain personal information about your passengers such as their name, address and telephone numbers for pick-up and drop-off purposes. In this regard, we will be acting as a data processor on behalf of the organisation and it is the responsibility of the organisation to ensure that it has appropriate consents or authorisations for individuals to transfer this information to us. We will not retain this passenger list information any longer than is necessary to fulfil the transport booking (s).
2.4. MiDAS Training Service
When you register to take part in any of our MiDAS training services we will collect your name, address, email contact details and telephone number. For certain training courses, you will also need to provide us with your date of birth, national insurance number, driving licence information. We will ask for your consent to collect information about any medical conditions that may affect your ability to drive.
We will share your details with the following third-parties when you undertake certain training courses with us:
- Minibus Driver Awareness Scheme (MiDAS), Car & MPV Training & Passenger Assistance Training (PATS) – the Community Transport Association (CTA)
We may also ask for information about your ethnicity where there is a substantial public interest to do so, in order to monitor equality of opportunity and treatment. We will always store this information in an anonymised format.
We would like to keep in touch with you about up and coming events and the services we provide.
We will only send you marketing communications by email with your consent. If you would like to receive more information, you can click on the email GDPR link here to opt in and receive future marketing material from us if you wish.
If you consent to receive email marketing communications from us, we will add your name and email contact details to our marketing database in order to send the emails to you and we will keep proof of the consent received in accordance to our legal obligations under GDPR guidelines.
You have the right to opt out from receiving email marketing from us by clicking the ‘Opt out’ link in any of our emails or you can contact us at email@example.com or on 020 8648 1001 at any time to opt out, change or update your contact details or to update your communication preferences.
We may send marketing information by post if we are satisfied that we have a legitimate interest, for example, sending a number of our information service leaflets to service users or sending special offers to members. You can contact us by email at firstname.lastname@example.org by post at Unit 2a Batsworth Road, Mitcham, Surrey, CR4 3BE or by telephone on 020 8648 1001, to tell us that you no longer wish to receive marketing by post or to update your contact details.
From time to time, we may telephone you for marketing purposes, but we will never use automated calling systems. We will only contact you in this way if we are satisfied that we have a legitimate interest to do so and that you have given us your consent to us making telephone marketing calls to you. You can contact us on 020 8964 4928 or by email to email@example.com to tell us that you no longer wish to be contacted by telephone for marketing purposes.
2.6 Monitoring and Development
We use anonymised information to carry out research into the use of our services and our effectiveness. In some circumstances, we may share the results of this research with third parties such as organisations that fund our work, but this information will always be anonymised so that it can no longer be associated with you.
- Visitors to our website
We collect personal information that you provide when you fill in a form on our website. We will only collect and use your personal information in this way if:
- it is necessary to enter into, or perform, a contract with you (or to take steps, at your request, to enter into a contract with you); or
- if we are satisfied that we have a legitimate interest to record and retain this information for the purposes of responding to queries or complaints, or for internal quality monitoring.
For electronic card payments we use Worldpay which is a third-party payments provider to process the payment. To see more information about their privacy notice, you can visit them at www.worldpay.com/uk/worldpay-privacy-notice.
We use a third-party website support provider, JD Design, to help maintain the security and performance of our website. To deliver this service JD Design may process the IP addresses of visitors to our website. For further details you can visit their website at https://www.designjd.co.uk/
- People who contact us via social media
If you send us a private or direct message via social media, we may share this information with other personnel within our organisation if we are satisfied that we have a legitimate interest to do so, for example, in order to respond to a specific query or to pass on information. We will not share any personal information that you provide in a message with any other organisations or anyone else without your consent.
- Sharing personal information
We only ever use your personal data if we are satisfied that it is lawful and fair to do so. We will never sell your personal data or share it with third parties who might use it for their own commercial purposes.
We will only disclose your personal information to third parties:
- where you have given us consent to share the information with the specific third party;
- where information such as your email address is passed to technical support representatives;
- where we use cloud software providers Sage 50 for our accounting records and Shaunsoft Community Transport Software to store information about our service users;
- where we use Dropbox Business to share information;
- if we are under a legal duty to disclose or share your personal information, for example, if required to do so by a court order or for the purposes of prevention of fraud or other type of criminal activity;
- in order to enforce any terms and conditions or agreements between us;
- as part of a sale of some or all of our business and assets to any third party or as part of any business restructuring or reorganisation (we will always notify you in advance and we will aim to ensure that your privacy rights will continue to be protected); or
- to protect our rights, property and safety, or the rights, property and safety of others (this includes exchanging information with other companies, organisations, legal advisers and regulators for the purposes of fraud protection and credit risk reduction).
- Where we consider it necessary or appropriate, we will share this information with third parties such as our insurers, the Information Commissioner’s Office, the Financial Conduct Authority, a relevant Local Authority, the Department of Transport, and any other associated body to whom we are lawfully required to inform.
- Data storage
Merton Community Transport takes your data storage seriously with the emphasis placed on maintaining that all personal data is stored safely and securely both on and offline with your consent. Merton Community Transport does not store personal data outside the EEA and all data is held in the United Kingdom.
- Data Security
We have appropriate security measures in place to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed both on and offline.
- We hold data electronically in our secure Shaunsoft Community Transport Software booking system and on our on-site file servers, which are protected by both hardware and software firewalls.
- We have off-site backup servers in secure locations.
- We regularly back up all of the data we hold.
- We store papers in lockable cabinets in our offices when not being actively used and we have a secure off-site storage facility for archived papers.
- When necessary, we dispose of or delete your data securely.
- We ensure that our employees, agents and contractors are aware of their privacy and data security obligations and we take reasonable steps to ensure that employees of third parties working on our behalf are aware of their privacy and data security obligations.
- We limit access to your personal information to those employees, agents, contractors and other third parties who have a need to know.
The transmission of information via the internet is never completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of your electronic information transmitted to us and any transmission is at your own risk.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
8 Data retention
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Our default retention period for personal data is 7 years from the date we receive the information unless otherwise specified by law. Any other data we hold will be held in line specifically in line with the legal requirement.
These retention periods may be extended or reduced if we deem it necessary, for example, to defend legal proceedings or if there is an on-going investigation relating to the information.
We review the personal data (and the categories of personal data) we hold on a regular basis to ensure the data we are holding is still required and is accurate. If we discover that certain data we are holding is no longer necessary or accurate, we will take steps to correct or delete the data.
- Your rights as a data subject
GDPR rules state that whilst we have collected personal data and are still currently processing that data, under certain circumstances, you have the following rights, by law:
- Right to be informed – to your personal information (commonly known as ‘data subject access request’). This allows you to receive a copy of the information we hold about you and to check that we are lawfully processing it.
- Right of access – to request a copy of the information we hold about you.
- Right of update – to correct the data we hold about you for accuracy or which is not complete.
- Right to be forgotten – to have your personal data we hold about you, erased from our records where it is no longer viable to continue holding it.
- Right to restriction or suspend the use of processing – where certain conditions apply you have the right to restrict the processing eg; to further our legitimate interest (or those of a third party) or where we are using your personal information for direct marketing purposes or if you want to establish its accuracy or our reasons for using it.
- Right of portability – to request that data we hold about you is transferred to another person or organisation with consent.
- Right to opt out – from receiving MCT marketing material by clicking on the ‘opt out link’ on our website at any time.
- Right to object to automated processing, including profiling – you have the right not to be subject to the legal effects of automated processing or profiling.
In the event that your request cannot be granted under rights of access, we at MCT will write to you with the reason for refusal where you will have the right to challenge it legally.
If you want to access, correct or request restriction or erasure of your personal information, or to object to us using your personal data, or request that we transfer a copy of your personal information to another party, please contact firstname.lastname@example.org or 020 8648 1001. We would prefer that you email or put your request in writing and post it to us.
If you have given your consent to us processing your personal information, you have the right to withdraw your consent at any time. To withdraw your consent, please contact email@example.com or 020 8648 1001. Once we have received notification that you have withdrawn your consent, we will no longer process your personal information.
We may update this privacy notice at any time and will show the date the privacy notice terms were modified on our website. Where possible we will send out emails and any changes will take effect 7 days after the date our email was sent. Please check for any updates or amendments to the privacy notice on a regular basis. Your continued use of our website after the expiry of this period would mean that you agree to be bound by the modified Privacy Notice.
By agreeing to this privacy notice you are consenting to MCT processing your personal data for the purposes outlined. You can withdraw consent at any time by email, post or writing to us at the address under section 19 below.
- Comment, Queries and Complaints
All comments, queries or complaints and requests relating to MCT’s use of your personal data are welcomed. You have the right to complain to the Chief Executive Officer for MCT in the first instance. Should you wish to exercise any of your rights or receive further information from MCT about this ‘Privacy Notice’, please contact MCT where you should get a response within 30 days. If you do not get a response within this timescale you can complain to the Data Protection Regulator at any time during the process.
- Contact Details:
Chief Executive Officer (Fitzroy Dawson)
0208 648 1001
Address: Merton Community Transport
If you have any queries or complaints about the processing of your personal information you have the right to also contact the information Commissioner’s Office (ICO) at this website address: www.ico.org.uk
MCT may on occasion pass your personal information to third parties exclusively to process work on its behalf. MCT agree to ensure your data is secure, to process this information based on our instructions to comply with GDPR legal requirements.
MCT will not act as a broker or pass on your information to any organisation who you are in engagement with, without your consent. However, we may disclose your personal information to meet legal obligations, regulations or valid governmental request. The organisation may also enforce its Terms & Conditions, prevent or mitigate, fraud technical issues; or to protect against imminent harm to the rights, property or safety of MCT, client or the wider community