Skip to Content

Privacy Policy

Privacy PolicyWho we areWho we share your data withWhere we send your dataGDPR Policy

Privacy Policy

LAST UPDATED: 08/06/26

Who we are

We are the ReQuest Foundation

Our registered address is c/o 3 Sandown Road, Deal, Kent CT14 6PH.

Our website address is: www.requestfoundation.org.uk

Comments

When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

Media

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Cookies

If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Who we share your data with

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognise and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

Where we send your data

Visitor comments or contact may be checked through an automated spam detection service. We will keep it on file for as long as it is of benefit to you and still relevant to do so.

GDPR Policy

LAST UPDATED: 20/09/25

Overview

This policy outlines the ReQuest Foundation's commitment to data protection and compliance with the UK Data Protection Act. The purpose of this policy is to ensure that all personal data held by the charity is processed lawfully, fairly, and transparently, and that the rights of data subjects are protected. This policy applies to all individuals working on behalf of the ReQuest Foundation, including trustees, staff, and volunteers.

Data Protection Lead

The ReQuest Foundation will appoint a Data Protection Lead who will be responsible for overseeing data protection and leading on any incident investigation and reporting. The Data Protection Lead will also ensure that all staff and volunteers are provided with any induction, on the job or other training and made aware of their data protection responsibilities.

Data Protection

Data protection is the practice of safeguarding personal information by applying data protection principles and complying with the Data Protection Act. The Data Protection Act is a UK law that regulates the processing of personal data. The UK Information Commissioner's Office (ICO) provides guidelines on data protection that the ReQuest Foundation will follow.

UK GDPR: The UK General Data Protection Regulation, which outlines the rules for processing personal data in the UK.

Data Processor: An individual or organisation that processes personal data on behalf of a data controller.

Data Controller: An individual or organisation that determines how and why personal data is processed.

Data Subject: An individual whose personal data is being processed.

Processing: Any operation performed on personal data, including collection, storage, use, and disclosure.

Personal Data: Any information that can identify a living individual, such as name, address, or email address.

Sensitive Personal Data: Personal data that requires extra protection, such as health information or ethnic origin.

Direct Marketing: Any communication aimed at promoting a product or service directly to an individual.

PECR: The Privacy and Electronic Communications Regulations, which govern electronic direct marketing.

Valid Consent: Consent given freely, specifically, and informed, and can be withdrawn at any time.

Legitimate Business Purpose: A lawful reason for processing personal data that is necessary for the legitimate interests of the data controller or a third party.

Data Protection Principles

Data is:

  • Processed lawfully, fairly and in a transparent manner

    • There are several grounds on which data may be collected, including consent.
    • We are clear that our collection of data is legitimate and we have obtained consent to hold an individual’s data, where appropriate.
    • We are open and honest about how and why we collect data and individuals have a right to access their data. 

  • Collected for specified, explicit and legitimate purposes and not used for any other purpose. 

    • We are clear on what data we will collect and the purpose for which it will be used.
    • And only collect data that we need.
    • When data is collected for a specific purpose, it may not be used for any other purpose, without the consent of the person whose data it is.  

  • Adequate, relevant and limited to what is necessary. 

    • We collect all the data we need to get the job done.
    • And none that we don’t need.

  • Accurate and, where necessary, kept up to date. 

    • We ensure that what we collect is accurate and have processes and/or checks to ensure that data which needs to be kept up-to-date is, such as beneficiary, staff or volunteer records. 
    • We correct any mistakes promptly.  

  • Kept for no longer than is necessary.  We understand what data we need to retain, for how long and why.

    • We only hold data only for as long as we need to.
    • That includes both hard copy and electronic data.
    • Some data must be kept for specific periods of time (eg accounting, H&SW).
    • We have some form of archive/review policy/process that ensures data no longer needed is destroyed. 

  • Processed to ensure appropriate security, not only to protect against unlawful use, but also loss or damage.  We follow the ICO guidance on data storage, sharing and security.

    • Data is held securely, so that it can only be accessed by those who need to do so.  For example, paper documents are locked away, access to online folders in shared drives is restricted to those who need it, IT systems are password protected, and/or sensitive documents that may be shared (eg payroll) are password protected.
    • Data is kept safe.  Our IT systems have adequate anti-virus and firewall protection that’s up-to-date.  Staff understand what they must and must not do to safeguard against cyber-attack, and that passwords must be strong and not written down or shared.  
    • Data is recoverable. We have adequate data back-up and disaster recovery processes.

Individual Rights

We recognise that individuals’ rights include the right to be informed, of access, to rectification, erasure, restrict processing, data portability and to object.

Use of Imagery/Video

All imagery is protected by copyright and cannot be used without the consent of the owner, usually the person who took the image. You may also need consent from the individuals in images of individuals and small groups, which may well fall within the Data Protection Act.  However, there is some ambiguity, so err on the side of caution and obtain consent wherever this is reasonably possible. Particular care is to be taken when using images of children or other vulnerable people. 

Here are some questions to consider when using imagery:

·        For what purpose was the original image taken?  If it was for one purpose, such as personal use, it cannot be used for another without the consent of the individuals concerned

·        Is the image sensitive personal data? If it is, do you have the individual's consent?

·        For small groups and individuals, has an image consent form been used?

·        When using images of children, or people who may not be competent, do you have valid consent?

·        When using images of children or other vulnerable people, are you confident your use of the image will not place them at risk?  Particularly, if it is to be used publicly, such as in the Media or on the web.

·        When photographing large groups, have the individuals been given a chance to opt out of the photograph?

·        Has the person/people in the image been told how the image will be used?

·        Are you using the image according to how the person/people were told it would be used?

Data Breach

A breach is more than only losing personal data.  It is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. 

We will investigate the circumstances of any loss or breach, to identify if any action needs to be taken.  Action might include changes in procedures, where there will help to prevent a re-occurrence or disciplinary or other action, in the event of negligence.

We will notify the ICO within 72 hours, of a breach if it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed such a breach is likely to have a significant detrimental effect on individuals. For example:

·        Result in discrimination.

·        Damage to reputation.

·        Financial loss.

·        Loss of confidentiality or any other significant economic or social disadvantage.

­­­­­­­­­­­­­­­­­­­­The DPA is extensive, so listed below are some of the provisions that don’t apply to everyone.  Select any that apply to you for including in your policy and delete the others.

Complaints

DATA PROTECTION COMPLAINTS

In line with the ICO’s guidance and the Data (Use and Access) Act 2025, we have a dedicated process for handling complaints relating to personal data. Anyone who believes we have not handled their personal information appropriately may raise a data protection complaint with us.

We will:

  • Provide a clear and accessible way for individuals to submit data protection complaints.
  • Acknowledge receipt of such complaints within 30 calendar days.
  • Take appropriate steps to investigate the complaint without undue delay, including making necessary enquiries and keeping the complainant informed throughout.
  • Communicate the outcome of the complaint promptly and clearly, explaining any actions taken or decisions made.

All complaints will be handled fairly, transparently, and in accordance with our obligations under the Data Protection Act. If the complainant remains dissatisfied, they may escalate the matter to the Information Commissioner’s Office (ICO).

Other Policies

You may wish to cross refer your Data Protection policy to other relevant policies, such as safeguarding or document retention.

Children

People under 13 years of age are not legally able to give consent.  You may also wish to ensure that privacy notices, or other information you give them, are written and presented in a way that is understandable and fair.

People Who Are Not Competent

Some people are unable, or may be unable to give consent, and this must be obtained from the person who is able to make decisions on their behalf, such as a Lasting Power of Attorney.  Any decisions that you may make on their behalf, must always be in their best interests.

Vulnerable Groups

If you work with people who may be particularly at risk, you may wish to include additional provisions to protect them. 

Special Category Data

Special category (sensitive) data is more sensitive and so needs more protection. For example, information about an individual’s race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life or sexual orientation.

International Data Transfers

We comply with the ICO guidance when transferring data to another country.

Privacy And Electronic Communications

Known as PECR, there are special regulations covering electronic marketing messages (by phone, fax, email or text), cookies and electronic communication services to the public.

 

Fundraising

We will ensure that our fundraising complies with the Data Protection Act and ICO guidelines and also the Fundraising Regulator guidelines including, if applicable, direct marketing and PECR.  We will respect the privacy and contact preferences of our donors.

Fundraising Preference Service

We will respect the privacy and contact preferences of our donors. We will respond promptly to requests to cease contacts or complaints and act to address their causes.

Artificial Intelligence

We have adopted and comply with the Charity AI Ethics & Governance Framework and ICO AI guidance.  If AI has access to data sets containing personal information, such as staff or beneficiary records, we have carried out an AI Risk Analysis and a data protection impact assessment (DPIA) and updated our data protection policy and procedures to reflect this.

Data Retention

Our data will only be kept for as long as there is an administrative need to do so in order to enable our charity to carry out its business or support functions, or for as long as it is required to demonstrate compliance for audit purposes or to meet legislative requirements.

In general, records are kept for 6 years after the end of the accounting year to which they relate but we do not keep personal records any longer than necessary and certain records may be required to be retained for longer.  Factors affecting retention periods include legal requirements, storage costs, historical value, industry standards, and archival needs.

Help And Support

The regulator, the Information Commissioner’s Office (ICO) has produced guidance for charities here, or to contact the ICO by phone, e mail or live chat, click here. You can find a self-assessment tool and other resources for micro, small and medium sized organisations here.