Howden Foundation Privacy & Data Protection Policy

Policy overview and commitments to Privacy & Data Protection

The Howden Foundation (“the Foundation”) is the working name of the Howden Group Foundation (“we”, “us”, “our”), a charitable incorporated organisation (“CIO”) registered in England & Wales (Charity Number 1156286), which collects and uses information which may identify individuals ("personal data"). We understand our responsibilities to handle your personal data with care, to keep it secure and to comply with applicable data protection laws.

The purpose of this Privacy Notice is to provide a clear explanation of when, why and how we collect and use personal data. We have designed it to be as user friendly as possible, and have labelled sections to make it easy for you to navigate to the information that may be most relevant to you. 

Do read this Policy with care. It provides important information about how we use personal data and explains your legal rights. 

We may amend this Policy from time to time for example, to keep it up to date or to comply with legal requirements or changes in the way we operate the Foundation. We will notify you about material changes by prominently posting a notice on our website. We encourage you to periodically check back and review this policy so that you will always know what personal data we collect, how we use it, and with whom we share it.

This version of the Privacy & Data Protection Policy was published on the 2 October 2023.

Who does this Policy relate to?

This Policy relates to the following core types of individuals, where we hold your personal information:

  • Individuals who are Foundation Trustees and Staff Members of Howden Group;
  • Other Charity Trustees and Staff Members;
  • A beneficiary of one of our charitable activities;
  • Supporters of the Foundation;   
  • Visitors to our websites.

1. Who is responsible for looking after your personal data?

The Howden Foundation is the Data Controller, contact details can be found in Section 9 of this Privacy Policy.  

As a Data Controller, we are regulated by the Information Commissioner’s Office (ICO), but as a CIO we are not required to formally register. 

2. WHAT personal data do we collect?

We collect your personal data and use it in different ways depending on your relationship with us and how you have interacted with us. This can include information we share with, or receive from, other third parties. 

Depending on your relationship with us, we may hold the following types of personal data about you: 

Identity and contact data: for example, your name, date of birth, postal address, telephone number and e-mail address. 

Correspondence data: for example, copies of letters and e-mails we send you or you send to us, and notes or call recordings of any telephone conversations. 

Internet data: for example, information collected by cookies and other online technologies such as Google Analytics, as you use our website or contact us by online methods. 

Special Category Data

Certain types of information are known as “special category data” under data protection law, and receive additional protection due to their sensitivity, for example information that reveals your criminal conviction history. 

We will only collect this information where we have a legal basis for doing so, and where it is strictly necessary. 

3. What PURPOSES do we use your personal data for and what is our LEGAL BASIS?

Under data protection law, we are required to establish a legal basis to use your personal data (please see below). From time to time, you may need to provide us with the personal data of a third party, and you should take steps to inform the third party that you need to disclose their details to us.

We use your information for the following lawful reasons: 

  • To enter into or perform a contract: for example a funding agreement that you may enter with us.
  • To comply with a legal obligation: for example the rules set by our regulator the Charity Commission for England and Wales , to fulfil your data rights under data privacy laws, handle complaints about data privacy and to comply with other legal requirements such as preventing money laundering and other financial crimes;
  • For our legitimate interests: for example to inform you of matched funding or smaller charitable donations as part of our People First Fund.
  • With your consent: for example when you ask us to provide you with information or permit us to contact you. You can withdraw your consent at any time, for more information please visit the “Your data rights” section of this Policy.
  • To protect vital interests: in extreme or unusual circumstances, we may need to use your information to protect your life or the lives of others. 

Special Category Data 

We use your special category data for the following lawful reasons: 

  • Your explicit consent; For example for conducting safeguarding checks on volunteers participating in activities with our charity partners.


4. Who do we SHARE your personal data with?

Where applicable, we share your personal data with the following types of third parties when we have a valid reason to do so; 

  • Other Charities;
  • Service Providers, who help manage our IT and back office systems;
  • Donation platforms;
  • Our regulator, the Charity Commission for England & Wales;
  • Courts, regulators or law enforcement agencies;
  • Other Charity Trustees and Staff Members;
  • HMRC
  • Financial institutions, such as banks and including credit reference agencies and organisations working to prevent fraud in financial services; 
  • Solicitors and other professional services firms (including our auditors), who may also be legal representatives for you, us or a third party.

5. International Transfers

We may transfer data to our Service Providers and Howden Group companies, including those that are located outside the UK. We may also make other disclosures of your personal data overseas, for example to other charities who have been selected as part of our charitable activities, or in response to a legal or regulatory request from a foreign law enforcement body. If the Data Protection laws of the country where we transfer your data are not recognised as being equivalent to those in the UK, we will ensure that the recipient enters into a formal legal agreement that reflects the standards required. 

You have the right to ask us for more information about the safeguards we have put in place as mentioned above. Contact us as set out in Section 9 if you would like further information or to request a copy where the safeguard is documented (which may be redacted to ensure confidentiality). 

6. Automated Decision Making and Profiling

We do not carry out profiling or automated decision making on the personal data we collect.

7. How long do we keep your personal data?

We will retain your personal data for as long as is reasonably necessary for the purposes listed in Section 3 of this Policy. In most cases this will be for seven (7) years following the end of our relationship with you however, in some circumstances we may retain your personal data for longer periods of time, for instance;

  • Where we are required to do so in accordance with legal, regulatory, tax or accounting requirements. 
  • So that we have an accurate record of your dealings with us in the event of any complaints or challenges. 
  • If we reasonably believe there is a prospect of litigation relating to your personal data or dealings.

We maintain a data retention policy which we apply to records in our care. Where your personal data is no longer required we will ensure it is either securely deleted, anonymized or stored in a way which means it will no longer be used by the business. You can request a copy by contacting us on the details shown in Section 9 of this Policy.

8. What are your rights?

Data protection law gives you rights relating to your personal data. This section gives you an overview of these and how they relate to the information you give us. 

The UK supervisory authority for data rights, the Information Commissioner’s Office (ICO), has also published detailed information about your rights on their website:

Your right of access
You have a right to request copies of the personal data we hold on you, along with meaningful information on how it is used and who we share it with. 

This right always applies, but there are some instances where we may not be able to provide you with all the information we hold. If this is the case, we will confirm why we are unable to provide it - unless there is a valid legal reason that means we cannot let you know why. 

Your right to rectification
If personal data we hold is inaccurate or incomplete, and this has an impact on the way we are using your data, you have the right to have any inaccuracies corrected and for any incomplete data to be completed. 

If you ask us to rectify your personal data, we will either confirm to you that this has been done, or if there is a valid reason that this cannot be done, we will let you know why. 

Your right to erasure (the right to “be forgotten”)
You have the right to request that your personal data is erased in certain circumstances. 

If you ask us to erase your personal data, we will either confirm to you that this has been done, or if we are unable to delete it, let you know why and also inform you how long we will hold it for. For more information, see Section 7 of this Policy. 

Your right to restrict processing
You can ask us to restrict the use of your personal data in certain circumstances. 

If you ask us to restrict the use of your personal data, we will either confirm to you that this has been done, or if we are unable to restrict it, we will inform you why. 

Your right to object to direct marketing
You can object to receiving direct marketing from us. 

If you do so, we will ensure that you do not receive such material going forward, unless you change your mind and specifically request it in the future. 

Your right to object to automated decision-making
You can object to decisions made about you using your personal data undertaken by purely automated means. 

If you do so, we will arrange for someone to assess the automated decision and confirm the outcome of this assessment to you. 

Your right to challenge our legitimate interests
You can challenge the use of your personal data where we use a legitimate interest as a legal basis to process your information. You can find more information on when we use this legal basis in section 3 of this Policy. 

If you do so, we will either confirm to you that the processing has stopped, or there is a valid reason for the processing to continue, we will inform you why. 

Your right to object to the use of your information for statistical purposes
You can object to us using your personal data for statistical purposes in some instances. 

If you do so, we will either confirm to you that the processing has stopped, or there is a valid reason for the processing to continue, we will inform you why. 

Your right to data portability
In certain circumstances, you have the right to request that your personal data be compiled into a common, machine readable format and either provided directly to you or sent by us to a third-party you nominate. 

If you request this, we will either act upon your instruction and confirm to you that we have done so, or if there is a valid reason that this cannot be done, we will tell you why. 

Your right to complain
If you are unhappy with how we have used your personal data or if you believe we have failed to fulfil your data rights, you have the right to complain to us, and can contact us to raise your concerns using the details shown in Section 9 of this Policy.

If you remain unhappy with our response you may raise a complaint with a supervisory authority responsible for data protection and privacy. 

In the UK, the supervisory authority is the Information Commissioner’s Office (ICO), who can be contacted using the following details: 

By e-mail:
By telephone: 0303 123 1113
By post: The Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF. 

9. How you can contact us

We take data privacy seriously and your opinion matters to us. The primary point of contact for all issues arising from this Policy, including requests to exercise data subject rights, is our Data Protection Officer. 

The Howden Foundation’s Data Protection Officer is Andy Searle, who can be contacted in the following ways:

By e-mail:

By telephone: +44 (0) 7849 090309

By post: Data Protection Officer, The Howden Foundation, 1 Creechurch Place, London, EC3A 5AF.