PICTFOR is a registered All Party Parliamentary Group (APPG) operating under official APPG rules. PICTFOR is managed by Lodestone Communications who are its official secretariat.
Lodestone Communications is referred to below by their registered name Lodestone Oxford Limited.
Lodestone Oxford Limited is a Data Controller registered with the Information working with Data Processors who include the following: MailChimp, Google Docs, Eventbrite and WeTransfer.
This privacy notice governs the collection, storage, use of personal information collected by us, Lodestone Oxford Limited on behalf of PICTFOR. It provides details about the personal information that we collect from you, how we use your personal information, your rights regarding the personal information that we hold about you. Please read this privacy notice carefully.
Statement of commitment to data protection
We are committed to adhering to GDPR principles as demonstrated within this, our privacy notice, and also in-house policy and processes. We provide PRCA standard training for staff and our staff are subject to strict obligations of confidentiality. We have disciplinary procedures in place should a member of staff breach GPDR. We have conducted an audit of our processes to ensure that they are lawful, fair and transparent.
Purpose of collecting the personal data as well as the legal basis for the processing and controlling
Who do we collect information about?
We only collect data where we have:
- A statutory reason
- A legitimate business interest, or
- Fully informed and freely given consent
We collect the personal information about our members, journalists, politicians and office holders, other stakeholders and (where there is a lawful basis, or it is in our legitimate business interests to do so) potential members (where we have legitimate interest) – see below for more information.
What personal information do we collect from you?
We only collect basic personal information where it can be used for our principal purposes including name, job title, company, business email, & phone number.
We believe in and carry out a policy of data minimisation. We don’t generally hold special categories of data (e.g. religious views, health history or criminal records). We do however, hold political information for politicians, councillors and those who have already shared this information on a public platform.
How do we do this?
We collect this personal information, by a number of means including:
- As a result of face to face contact at events where we collect attendee lists and business cards.
- Through communication with journalists
- Through communication with members
- By doing research to understand who the stakeholders may be for our projects. We get this information from public platforms. Such as Linkedin, Dehallivand and Council websites.
How we inform data subjects of our intention with their information?
Following guidance from the ICO, we will use a layered approached to sharing our privacy information. We provide the key privacy information immediately and have more detailed information available within our privacy notice for those that want it. This is used where there is not enough space/time to provide more detail. For example, when we collect business cards, it is our policy that we have a process to record when we got these, and state what our intention with this information is. We then refer the individual to this, our in-depth privacy notice.
It is our intention that:
- Our privacy notice is clear, easy to read and simple to understand
- We are open about how we collect, store, use and secure personal data
Our intention with this information:
Members and future members – We use this information purely for the purposes of our legitimate interests in communicating with those we have working relationships with, those we have legitimate interest in having working relationships with in the future.
Journalists – We hold information on journalists as part of our legitimate interests in conducting our principal purpose. Using this information also serves the interests of the public as we contact journalists who write about the issues that we cover.
Stakeholders – We use this information purely for the purposes of our legitimate interests in communicating with those we have working relationships with, and those we have legitimate interest in having working relationships with in the future.
Notes/invites – We communicate with our network through a series of regular mailings which typically involve updates to our group, and also frequently send out event invitations and information about sponsorship opportunities to relevant individuals. People receiving our communications also receive a link to our privacy notice and can freely unsubscribe at any time.
Data retention periods
We only hold data for as long we need to and have a legitimate reason to do so. All information is secure and portable. We review this annually to decide whether we still need the data and delete if not. It is within our retention policy to keep a note of those who have unsubscribed from our email lists to ensure we no longer contact them. In some cases, we keep financial information or contract-related information for 7 years.
Disclosures of personal data
We may share your personal data with third parties in the course of providing our services to you. These are: MailChimp, Google Docs, Eventbrite, Wetransfer and other third parties including specialist IT support, suppliers and sub-contractors for the performance of this site, our applications and any contract we enter into with them or you in connection with our dealings with you. We require all third parties to respect the security of your personal data and to treat it in accordance with the law.
We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
We have contracts with these third parties to ensure that your data is protected and that we can lawfully transfer the data to them. Where the service providers are located in a territory that is not recognised as having adequate protection, we will use a contract or other method of disclosure to share your data in a lawful manner. If you would like more information on this please contact us using the details below.
Our security measures
All of our employees have been fully trained to PRCA standards with regards to data privacy matters and subject to confidentiality obligations. We are based within a locked office with a 24-hour manned reception. All computers and laptops are password protected. All information we hold is stored on Dropbox with controlled access given by permission.
What are your rights in relation to the personal information that we hold?
You have the following rights:
- To ask us to provide you with copies of personal information that we hold about you at any time
- To ask us to update or correct any out of date or incorrect personal information that we hold about you (in accordance with applicable data protection legislation)
- To request that we send you your personal information (where we are handling your personal information in order to perform a contract between us) in a structured, commonly used and machine-readable format (in accordance with applicable data protection laws)
- The right to opt-out of any marketing communications that we (or any third party to whom we have disclosed your personal information with your consent) may send you
If you want to exercise any of these rights, please write to us (either by post or e-mail) at the address specified below.
If you object to our processing of your personal information for certain purposes or you want us to stop using or to delete your personal information, you can contact us and tell us why. In certain circumstances we may not be able to stop using your personal information but, if that is the case, we’ll let you know and tell you why.
If you wish to raise a complaint on how we have handled your personal data, you can contact us to have the matter investigated. Please contact us at firstname.lastname@example.org
If you are not satisfied with our response or believe we are not processing your personal information accordance with the law you can complain to the Information Commissioner’s Office https://ico.org.uk/ or seek a remedy through local courts if you believe your rights have been breached.
Data Protection representative:
Jo Dalton, Lodestone Communications