We are Scripture Union Northern Ireland…
Based in Northern Ireland SUNI is part of the global Scripture Union movement which seeks to make the Good News of Jesus known to children, young people and families. We are registered with The Charity Commission Northern Ireland (NIC104852), registered as a company in Northern Ireland (NI008002) and with the ICO (Information Commissioner’s Office), registration number Z7294413. But, in a very real sense YOU are SUNI!!
…YOU ARE SCRIPTURE UNION NORTHERN IRELAND
Whether you are a pupil leading a school SU group, a prayer warrior interceding for SU or a potato peeler feeding mounds of mash to SU campers each summer, You are what makes SUNI what we are.
You are really valuable to us and so your privacy matters. We will only ask you for the information we need, and we will only use it for as long as we need to. We don’t pass on your personal information to other organisations for marketing purposes. What we do with any personal information you give us is really important and we owe it to you to treat your data with care.
- We collect information from different people who engage with SUNI (those pupils, prayer warriors and potato peelers, as well as staff, supporters, customers, volunteers, leaders, donors, committee members, campers, schools volunteers etc)
- We collect this information so that we can do what we do well, whether that is planning an inter-schools event, putting together a team of quality volunteers to run a safe camp, working with church teams to deliver ‘It’s Your Move Lessons’ or employing staff members.
- We only collect and use information which we need or which you have agreed that we can use.
- We endeavour to make it as easy as possible for you to update your information, withdraw your consent, and access your information.We are careful with your information and work hard to make sure it is held securely (for more information see our security section).
- We never sell your data and we don’t share it with other organisations for their own purposes. We will share data if there is a legal requirement to do so.Where we use other organisations to provide a service (such as Mailchimp to contact people by email), they have been selected carefully to ensure they also treat your data securely, and they will only use your data as instructed by us (for more information see our Third Parties section).
- We only keep your information for as long as we consider it necessary and reasonable. Our data retention policy takes into account our legal obligations, insurance recommendations, and accounting and tax consideration.
You can update your information or ask us to stop contacting you at any time by using the Update Me button at the top of the page. And finally, if you would like to know more, please don’t hesitate to get in touch with us. You can email (email@example.com) phone (028 9045 4806) or write to us (Data Team, SUNI, 157 Albertbridge Road, BELFAST, BT5 4PS).
Click on the relevant button below to see how we use your information.
Special Category Data
All personal information is private, but some types of information are more sensitive than others e.g medical information, religious beliefs or information about special needs, and this is recognised in law. Since we only collect the information we need, you can rest assured that we will only ask for personal information about you if there is a good reason for doing so – e.g. to ensure that children’s needs are appropriately catered for at a camp or mission; to make sure that our volunteers meet the high standards we require of them; to ensure safeguarding at camps, missions or events. We will have identified sound legal bases for processing any special category data and we will treat it with extra care.
SUNI will never sell your data to anyone else, nor do we share your data with other organisations for their marketing purposes. We don’t share your data in ways you would not expect and we are transparent about who we plan to share your data with and why, but we may also have to share your data if there are legal reasons to do so e.g. with the police regarding suspected fraud or with social services in relation to child protection.
In outlining above what we do with each different type of person’s data we have highlighted some of the third party service providers we use. They are listed below. We have chosen them because they also treat your data with respect and their data policies align with ours. They will only use your data as instructed by us.
We generally store data within the European Economic Area, but if one of our third parties needs to transfer it outside the EEA we will have checked that adequate levels of privacy protection, in line with UK data protection law, are in place e.g. by choosing an organisation in the US which has been certified under the EU-US Privacy Shield Framework.
We use a third party provider, MailChimp, to send out mailings to supporters and volunteers (e.g monthly Prayer Focus, E3 workers’ termly news, Camps and Missions leaders mailings). We gather statistics around email opening and clicks using industry standard technologies to help us monitor and improve our mailings. MailChimp is based in the US, but has certified its compliance with the EU-US Privacy Shield Framework. For more information please see MailChimp’s privacy noticeand Data Processing Addendum
- Morgan Document Security
We use a third party provider, Morgan Document Security, to archive documents long term (generally for legal purposes) and to securely destroy personal information which we no longer need. They are a well-respected local firm with excellent security standards, accredited with ISO 9001 (quality standard) and ISO 27001 (Information Security Management Standard). For more information on their processes and their secure archiving and secure shredding services, please refer to their website.
We use a third party provider, Eventbrite, to process bookings for many SUNI events, e.g. the Making Your Mark weekend and Camps and Missions training events. They hold the information which you give them in relation to the event you are booking. As an Organiser, we can then access that information in order to run the event. When the event and any follow up has been completed, we ask Eventbrite to delete the personal data relating to that event. Eventbrite have never had a data breach to date (see Eventbrite’s Security and Safety Guide). Eventbrite is based in the US, but has certified its compliance with the EU-US Privacy Shield Framework. For more information please see Eventbrite’s privacy notice
We use Access NI to carry out enhanced checks on volunteers, interns and staff who will be working with children. After registering with Access NI via their website you will apply for an Enhanced Check, and will enter your addresses for the last 5 years, your National Insurance number and your driving licence and passport numbers if you have these documents. This data will be used to check for any criminal records which may impact on your suitability to work with children. Access NI is a government body and therefore complies with the GDPR and expects registered bodies like SUNI to hold to strict data protection procedures in how we handle the information they share with us (you can find their privacy notice here). Further details of what information may be disclosed about you can be found here.
We use a third party provider, NowDonate, to facilitate easy online giving to SUNI. NowDonate is registered in the UK. For more information please see NowDonate’s privacy notice.
- World Pay
To comply with our legal obligations, SUNI must send information to HM Revenue and Customs for tax purposes.
- Companies House
To comply with our legal obligations, SUNI is registered with Companies House. This includes sending personal data on the Company Directors and the Company Secretary to Companies House. For more information please refer to the Companies House Personal Information Charter.
- The Charity Commission for NI
To comply with our legal obligations, SUNI is registered with The Charity Commission for Northern Ireland. This includes sending personal data on the Company Directors and the Company Secretary to the Charity Commission. Further data protection information from The Charity Commission for Northern Ireland can be found here and here
- Scottish Widows
- Ulster Bank
We use the Ulster Bank to make and receive payments. The Ulster Bank Ireland DAC is registered in the Republic of Ireland, and therefore comes under the GDPR. For more information on how the Ulster Bank protects its customers, please refer to ‘How we protect you’.
- Postal Sort
- Blackdog Media
Blackdog Media provide technical support and consultancy services to SUNI. For more information on this trustworthy local company please refer to their website
- File Sharing Websites
File sharing websites offer a more secure alternative to attaching files, so we recommend their use when personal information needs to be transferred. Dropbox is based in the US but has achieved EU-US privacy shield certification. The Dropbox website gives more information on privacy, compliance and security . WeTransfer is located in the E.U. Their website has more information on the security of their platform, and GDPR compliance.
- Shine Website
We work with our trusted partners, Crown Jesus Ministries, Logos Ministries International and Scripture Union England & Wales to run SHINE and SHINE KIDS. The Shine website (www.shineinschools.com) is hosted by Big Wet Fish (BWF Hostings Limited), registered in Northern Ireland. The servers are located in a fully ISO27001 certified facility in England. For more information on BWF Hostings Limited please see their website.
- Volunteer Website
Our volunteer website (which is where you would register as a schools volunteer or a camps and mission volunteer) is a bespoke website hosted on a 1&1 server. For more information about this company, registered in the EU, please see their website.
- Our Website
Our website is hosted by WordPress.com, which is run by Automattic Inc. We don’t collect cookies, but we use a standard WordPress service to collect anonymous information about users’ activity on the site, for example the number of users viewing pages on the site, to monitor and report on the effectiveness of the site and help us improve it. For more information about how WordPress processes data, please see Automattic’s privacy notice. Our website has links to other social media and to websites belonging to third parties, and we may include content from websites such as these on our website. However, please be aware when you leave our website that we have no control over the privacy practices of other websites.
It is SUNI’s policy to obtain parental permission for children at camps and missions and permission from young people at events like Making Your Mark, to take photographs/videos which may be used in SUNI publicity (e.g. in the following year’s brochure, on websites, on SUNI social media posts etc). At events there will be a poster displayed explaining that we might be taking photos/videos, and signposting who to talk to if you don’t want to be in photos. There will also be an announcement made to ensure that event participants are aware that they can ask us not to use their photograph.
Policies and Procedures
Our Data Protection Policy is reviewed and updated annually.
Out of office hours the main office building is securely locked and alarmed. During office hours, visitors not allowed unsupervised access to office areas.
There are robust practices to ensure the security of paper records: they are stored in locked filing cabinets, and shredded once they are no longer needed, in line with our data retention policy. Large quantities of confidential waste are disposed of by Morgans, and certificates confirming destruction are provided and held on file.
References for all staff are obtained prior to employment and we place a high value on trustworthiness, integrity and confidentiality. Staff receive regular training (at appropriate levels) on data protection: currently all staff are receiving monthly training at our Full Team Meetings.
As an almost entirely Mac-based organisation, our cyber security issues are significantly reduced. All staff laptops are encrypted and all staff computers are passworded. Only the staff member and the PA know the password to each computer. Staff are encouraged to use passwords for files containing personal data, and to consider using file sharing websites rather than attachments when personal data needs to be transferred for some reason. Data on our secure server is encrypted, and it is backed up regularly. Care and consideration are taken regarding SPAM mail, up to date antivirus protection and appropriate firewalls, as well as installing updates. Outdated computer equipment is destroyed by our IT support (Blackdog Media) and certificates of disposal are provided. SUNI policy is to shutdown computers completely or put on ‘sleep more’ each evening, which would avoid sensitive information being accessed in the event of an office break in. Our wireless router is secure and guards against hackers, and a wifi password is in place. The connection between devices and the wifi is encrypted.
You have the following rights with regard to good information handling, which we affirm and will endeavour to uphold:
- The right to be informed
- The right of access
You can ask us for the data we hold about you (this is a data subject access request). We are happy to give you all the information which we can. This is a straightforward procedure for this, which will include verifying your identity. It doesn’t cost anything. You can ask for the form by emailing (firstname.lastname@example.org) phoning (028 9045 4806) or writing to us (Data Team, SUNI, 157 Albertbridge Road, BELFAST, BT5 4PS).
- The right to rectification
If you think the information we hold about you is not correct, let us know – we will find and update it. We endeavour to do this as soon as you let us know, but always within 30 days.
- The rights to erasure and to restrict processing
You can ask to be forgotten. If we can, we will then delete or destroy the information we hold about you. There may be a compelling reason why this is not possible (e.g. a legal obligation for us to continue to hold your data) but we will always take your request seriously. If we can’t completely delete your data for some reason, it is likely that we could store it without actively continuing to process it (restrict processing).
- The right to data portability
If you want it, we will give you the information we hold about you in an appropriate transferable form.
- The right to object
If you don’t like how we have processed your data based on legitimate interest or for marketing purposes, you have the right to say so, and we will stop processing your information in that way. You can always opt out of any mailings we send and we make sure that it is easy for you to do so.
- You also have rights relating to automated processing and profiling
We don’t use automated processing and we don’t profile people.
Let us know how we can improve
We have thought carefully about protecting your data – about what information we gather, how we use it and store it, and for how long, and how we delete or destroy it when it is no longer needed.
However, all policies and procedures are implemented by imperfect human beings. So if you think we have made a mistake in any way, please let us know and we will work hard to make things right. You can email (email@example.com) phone (028 9045 4806) or write to us (Data Team, SUNI, 157 Albertbridge Road, BELFAST, BT5 4PS).
If you are concerned with how we are handling your information we would like to be able to address those concerns and put things right. However, if you wish to raise any concerns with a supervisory body, you can contact the ICO (Information Commissioner’s Office). You will find information on how to do this on the ICO website (www.ico.org.uk) or by phoning the ICO on 0303 123 1113 or writing to The Information Commissioner’s office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. There is also a regional office (write to ICO, 3rd Floor, 14 Cromac Place, Belfast,BT7 2JB, phone 028 9027 8757 or email firstname.lastname@example.org)