About this privacy notice
This privacy notice explains how the Independent Commission for Aid Impact (ICAI) collects and uses your personal information in accordance with the law and the General Data Protection Regulation (GDPR). As an organisation we work to improve UK aid and through robust, independent, scrutiny of UK government aid spending.
ICAI is a “data controller”, which means that we hold and use personal information about you. It is important that we ensure the security and privacy of this information, in order to comply with legislation and to ensure the rights of individuals.
The Information Commissioner holds a register of data controllers who process personal information. Data controllers are required to notify and renew their registration on an annual basis. Our ICO registration number is ZA125098
Data Protection Principles
Data protection law states that the personal information owe hold about you must be:
- Processed lawfully, fairly and in a transparent manner.
- Collected for specific purposes which we have explained to you, and will not be used in any other way which is incompatible with those purposes.
- Relevant to the purposes we have explained to you and limited to those purposes only.
- Accurate and kept up to date.
- Held only for as long as is necessary for the purposes that we have explained to you.
- Processed or held in a way that ensures security.
The kind of information we hold about you
Personal information (data) is any information from which an individual can be identified.This does not include personal data where the individual’s identity has been removed (also known as anonymous data). “Special categories” of information are particularly sensitive information which requires a greater level of protection.
As an organisation, ICAI collects, uses and stores various kinds of personal information. This may include:
- Your personal contact details such as name, address, date of birth, telephone number and email address.
How we collect your information
Personal information is collected where:
- You make a public enquiry or complaint.
- You have visited pages on our website (Cookies).
- You subscribe to our newsletter
- You engage with our work
How we use your personal information
ICAI will only use your personal information where we are legally allowed to do so. We may use your personal data in order to carry out our functions and responsibilities. We will only use your personal information where:
- We are required to comply with a legal obligation.
- It is in our legitimate interest to do so.
- The information is required for us to perform the contract which we have with you.
- It is required for official purposes, or it may be in the public interest to do so.
- We are carrying out a function of the Crown, or a Minister of the Crown.
Your personal information my be processed for the following reasons:
- Maintaining our accounts and records.
- Consideration and investigation of complaints.
- Undertaking research.
- To prevent fraud.
- Corporate administration.
- Where you have asked to be kept informed with development, for example, through subscribing to a newsletter.
- To help us organise events to discuss our work.
- The support and management of our staff.
ICAI will only use your personal data for the purpose for which it was collected unless we reasonably consider that we need to use it for another purpose and that purpose is compatible with the original purpose. If we need to use your personal information for an unrelated or new purpose, we will notify you and we will explain the lawful basis which allows us to do so.
Automated decision-making is when an electronic system uses personal data to make a decision without any human involvement. We are allowed to use automated decision-making for the following purposes:
- ICAI currently does not use any automated decision-making.
In some circumstances we may be required to share your personal information with third parties. This includes third party service providers and other Civil Service organisations.
Third parties are expected to appropriately safeguard your information, in accordance with legislation. In some circumstances your data may be transferred outside the EU. Should this occur, you can expect similar levels of protection in relation to your personal information.
We may share personal data within our organisation or with other bodies where we are permitted to do so by law. There are some cases where we can pass on your data without telling you – for example, to prevent or detect crime, or in order to produce anonymised statistics. In all cases, whether data is shared internally or externally, we will be governed by data protection law.
A small proportion of our records are transferred to the National Archives, in line with legal obligations for the collection, disposal and preservation of records. The Public Records Act governs the selection, transfer and preservation of records and requires those defined as public records to be openly accessible unless exempt under the Freedom of Information Act.
Why is my personal data shared with third parties?
ICAI will only share your information with third parties where we are legally required to so, where it is necessary for us to carry out our function as an advisory Non-Departmental Public Body (a NDPB), or if it is in the public interest to do so.
On occasion, we may be required to share ‘special categories’ of information relating to criminal convictions or alleged criminal behaviour.
ICAI takes the security and privacy of your personal information very seriously, and will ensure that the necessary safeguards are in place when sharing your data.
Is my personal data secure with third party service providers?
Our third party service providers are expected to have an appropriate level of security measures in place in order to protect your personal data. They are not allowed to process your personal information for their own purposes. On ICAI’s instruction, third party service providers process personal data on our behalf, which will be in line with our policies as well as in accordance with the law.
When you write to ICAI, we will look after any personal information you disclose to us and use it only as necessary to provide you with an answer. This will be in accordance with our task as a NDPB to be accountable and transparent about the functions and policies that we are responsible for.
Where your correspondence relates to a policy area or issue for which another public body has responsibility, it will in most cases be passed to them to respond to you. This includes transferring correspondence to a devolved administration if the matter sits with them. We will let you know when this happens. Except as explained here, your correspondence will not be shared outside the government and arms length bodies (ALBs) without your consent.
In the case of requests for information that are handled under the Freedom of Information Act 2000 or Environmental Information Regulations 2004, we will use your personal data as necessary to comply with those laws. We may need to consult with other public bodies where a coordinated response is required. Where an information request would be more appropriately directed to another organisation, our response will advise you where it should be sent, but the request will not be forwarded. When, in some circumstances, it is necessary to share information requests with third parties outside of government for consultation, any information that identifies you will not be shared.
A record of your correspondence will be held by us for at least three years and then, under normal circumstances, deleted. It will be held by us for at least three years and then, under normal circumstances, deleted. It will only be kept for longer where it is necessary in connection with an ongoing issue, or in accordance with the Public Records Act.
When your personal data will be shared with other Civil Service entities?
ICAI will share your personal information with other Civil Service entities as part of our general management and functioning of the Civil Service, for system maintenance support, business planning and statistical analysis.
ICAI has appropriate procedures and security measures in place in order to protect your personal information. These measures are taken to ensure that your information is not unlawfully accessed or used, and to prevent loss or damage.
In accordance with data protection legislation and the GDPR, your personal information will only be processed by the necessary employees or third parties, meaning that we limit access to your data to only those necessary to carry out our functions and responsibilities. Only employees, agents or contractors that have a business need to know, will have access to your personal information.
We have procedures in place to deal with any suspected data security breach, which includes the notification of the supervisory authority as well as the affected individual/s, where we are required to do so.
We will only hold your personal information for as long as is necessary to fulfil the original purpose for which it was collected. This could include the purpose of satisfying legal, reporting or accounting requirements. Our records are maintained in line with the FCDO’s retention policy which explains the retention periods for various aspects of your personal information.
When establishing appropriate retention periods for personal information, we consider the following:
- The amount of personal information.
- The nature of the information.
- The sensitivity of the information.
- Any potential risks of the information being unlawfully accessed or used.
- Why we process the information, and whether we could achieve our purpose through any other means.
- Any legal requirements.
On some occasion we may anonymise your personal information, which will mean that you cannot be identified from the information. In such cases, we are not required to notify you further. Records will be retained and securely destroyed in accordance with our retention policy, and laws or regulations.
Access to your personal information
Under data protection legislation, you have rights as an individual, in relation to the information that we hold about you. These rights include:
Right to access
You have the right to request access to the information we hold about you, and to check that it is being processed lawfully. Requesting access to your personal information is known as a ‘data subject access request’.
Right to rectification or correction
You have the right to request to have any inaccurate information about you corrected, and any incomplete information completed.
Right to erasure (also known as the ‘right to be forgotten’)
You have the right to request that your personal information be deleted, of the information is no longer necessary in relation to the original purpose for which it was collected. In certain circumstances you are also able to withdraw your consent or object to the processing of your information.
Right to object
There are certain circumstances where you have the right to object to how your information is being processed, when it is based on legitimate interests. You also have the right to object to your data being processed for the purpose of direct marketing or statistics.
Right to restriction of processing
You have the right to request a restriction of the processing of your information, where the accuracy of the information is being contested. This means that your data will still be held, but not further processed.
Right to transfer (also known as ‘data portability’)
In certain circumstances, you have the right to have your personal information transferred from one party (data controller) to another. This will only be possible where the information is being processed on the basis of consent or automated means.
Should you wish to review, verify, update or request erasure of your information, or if you would like to object to the processing of your personal information, please contact email@example.com.
Right to withdraw your consent
If you consented to providing us with your personal information and you would now like to withdraw your consent to your information being processed or held by us, please let us know. It should be as easy to withdraw your consent as it was to provide it in the first place.
Data Protection Officer
ICAI has appointed a Data Protection Officer to ensure compliance with legislation and this privacy notice. Given our size, this officer works for our sponsoring department, the Foreign, Commonwealth and Development Office (FCDO).
If you have any questions relating to this privacy notice or about how we handle your personal information, please contact ICAI on firstname.lastname@example.org.
Changes to this privacy notice
Please be aware that this privacy notice can be updated at any time.