The Bridge Christmas Prize Draw

Terms & Conditions

Anyone over the age of 18 can enter the prize draw. For winners of physical prizes such as gift boxes, prizes will need to be collected from The Bridge in Leicester. Address Provided below.

People may enter in the prize draw by accessing the Crowdfunder website and buying entries, the more entries a person has the more chance there is to win a prize. All money earned through entries will go to The Bridge charity to help support people experiencing homelessness over winter and Christmas. A free entry route is available by post, by sending in your name, address, email, and number of entries to 43 Melton Street, Leicester, LE1 3NB. All entries done this way will not support the charity and therefore not support those experiencing homelessness.Entry routes which incur a minimum, unavoidable cost of entering are still likely to be considered free entry routes providing there is no additional cost Entries cost £2 each, with promotions to gain more entries; £10 will gain 12 entries, and £15 will gain 30 entries. Entering on the site requires you to fill in information requested, choose how much to pay, and pay through means of bank transfer. There is no limit on how many entries can be purchased by one person. The full name of the company organising and prompting this prize draw is The Bridge - Homelessness to Hope. The start date of this prize draw is Tuesday the 5th of November, and the end date is Monday the 2nd of December. Prizes include both physical items and digital vouchers. Physical gifts include: Lush Gift Box, Leicester Football Club Stadium Tour for 4 people, Family Pass to King Richard Centre, 2 tickets to the Phoenix Cinema, and a £10 Willabean Voucher. Digital voucher prizes include: National Space Centre tickets for 2 adults and 2 children, CaddyShack voucher for 8 players for 2 rounds, and an East Street Lanes voucher for 4 bowlers for 1 round. Winners will be selected through a randomly generated prize draw, and announced by email. Ou privacy policy and how we will handle personal data for the draw:DATA PROTECTION POLICY 

Introduction 

The Bridge needs to collect and use certain information about individuals in order to carry out its day-to-day activities as a charity and a responsible employer. 

The individuals about whom The Bridge collects data include staff (plus their next of kin and where appropriate partners and dependants), service users, volunteers, trustees and consultants, suppliers, and others with whom The Bridge has a legitimate business relationship. 

 Purpose 

This policy sets out how The Bridge discharges its responsibility to comply with the Data Protection Act 2018 (DPA2018) and the General Data Protection Regulation (GDPR). 

The policy is supported by more detailed policies on data security (IT and data security policy) and data retention, and privacy notices for different types of data subject [see below]. 

Data Protection Act and General Data Protection Regulation 

DPA2018 and GDPR are concerned only with the protection of ‘personal data’ – i.e., data relating to identifiable living individuals (data subjects), not data relating to organisations. 

The Bridge recognises its obligation to have at least one of the six prescribed legal bases for any processing of personal data, and to meet at least one of the additional conditions for processing special category data [see below]. 

The Bridge fully endorses and adheres to the six Principles of Data Protection which must be observed at all times when processing of personal data. 

The term ‘processing’ is defined by GDPR to cover a wide range of activities including collecting, recording, organising, using, disclosing, storing, and deleting data. 

Data subjects and purposes of data processing at The Bridge 

The Bridge provides appropriate privacy statements for different types of data subject and makes these prominently available. 

Beneficiaries or Service Users  

The Bridge processes personal data from current, past, and prospective service users for the purposes of delivering an effective service.  We may capture CCTV images in the accommodation. Full details can be found in The Bridge service user privacy statement. 

Staff, applicants, and ex-staff 

The Bridge processes personal data from current, past, and prospective employees for the purposes of administering and maintaining HR records.  Full details can be found in The Bridge employee and applicant privacy statement. 

In addition, we monitor computer use and record your personal expenses whether charged on company credit cards or reimbursed to you when you incur these yourself, as detailed in our computer and expenses policy. 

Volunteers 

The Bridge processes  personal data from current, past, and prospective volunteers for the purposes of administering and maintaining safety and contact details records.  Full details can be found in The Bridge volunteer privacy statement. 

Trustees and consultants, suppliers, and business contacts 

The Bridge also processes the personal data of trustees and consultants, suppliers, and others with whom it has legitimate business relationships. 

Special category data 

The processing of ‘special category’ personal data must comply with one of an additional set of conditions listed in GDPR and amplified in DPA2018.  Special category data includes an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, health, sex life or sexual orientation.  Data concerning an individual’s criminal record, court appearances, etc, is not special category data but, under DPA2018, is treated similarly.   

As an employer The Bridge may process type(s) of special category personal data [and criminal records] about applicants or current members of staff for the sole purposes of administering and maintaining appropriate HR records, and of trustees.   

Data Protection by design and by default 

The Bridge incorporates Data Protection practice into all relevant processes and activities and considers the Data Protection implications of all new projects, activities and processes.  All major and/or novel developments are reviewed by the Data Protection Lead. The management team are responsible for ensuring that Data Protection is taken into account when setting up or modifying routine processes. 

Roles and responsibilities at The Bridge 

The Board of Trustees is ultimately responsible for ensuring that The Bridge meets its legal obligations. 

The Data Protection Lead at The Bridge, with responsibility for day-to-day compliance, is the Operations Manager.  Their responsibilities include: 

• Keeping the Board updated about data protection responsibilities, risks, and issues. 

• Maintaining records that demonstrate how we comply with Data Protection. 

• Advising colleagues on Data Protection practice. 

• Ensuring that all relevant staff (including volunteers) receive Data Protection induction and regular training. 

• Reviewing contracts or contract amendments with Data Processors before they are signed. 

• Reviewing joint processing and data sharing agreements with other organisations before they take effect. 

• Handling all requests from Data Subjects to exercise their Data Protection rights. 

• Being the point of contact for the Information Commissioner 

• Reviewing all data protection procedures and related policies, in line with an agreed schedule 

• Handling data protection questions from staff and anyone else covered by this policy. 

• Being the first point of contact in the event of a personal data breach or suspected breach 

• Ensuring that all members of the staff team (and volunteers) are reminded, at least annually, of their roles and responsibilities when processing personal data and that training is undertaken by individual staff members and volunteers as appropriate 

All members of staff employed by The Bridge and any volunteers working with client data are responsible for complying with policies and procedures which are designed to ensure that:  

• Data is obtained fairly and transparently 

• Data is only obtained or held if there is a good reason for doing so 

• Data is used only for the purposes for which it is collected.  Data is not used for purposes other than those made known at the time the data was collected 

• Data is accurate and where necessary up to date, with data inaccuracies being rectified as soon as they are discovered 

• Data is not held for longer than necessary and is destroyed in line with The Bridge’s retention policy 

• Data is held in as few places as necessary and not unnecessarily duplicated 

• Access to personal data is restricted to those who need it for clearly defined purposes 

• Appropriate security measures are in place and followed 

• Any request from a data subject to exercise their Data Protection rights is passed to the Data Protection Lead without delay 

• Any breach, possible breach or near miss is reported to a manager or to the Data Protection Lead as soon as anyone becomes aware of it 

• Personal information is not transferred abroad without suitable safeguards and only on The Bridge’s authority 

• Disclosure of personal data outside The Bridge, unless in exceptional circumstances and with the authorisation of the Data Protection Lead, takes place only with the prior knowledge of the data subject 

8.Data processors 

A number of data processors are currently used by The Bridge.  These are: 

• Simple Computing Ltd for the provision of IT Helpdesk and technical support and advice 

• Nest for the provision of pensions;  

• Companies House for details of the Company Secretary and Director’s address 

Contracts with all the above, and all future contracts with data processors, are kept under review with the aim of explicitly setting out the responsibilities of each in line with the provisions of GDPR. 

9.Collaboration with other organisations 

Whenever The Bridge agrees to exchange data with one or more other organisations, or to collaborate in an activity that involves the use of personal data, the organisations involved draw up an agreement, setting out their respective Data Protection responsibilities. 

10.Legal bases for processing 

The Bridge carries out all its processing of personal data under an appropriate legal basis, which is typically assessed as follows: 

• Where the processing is necessary for a contract that is normally the legal basis 

• where the processing is necessary under a legal obligation that is normally the legal basis 

• where the processing is necessary in the course of our routine activities our legal basis is normally legitimate interests, provided we have carried out and documented an appropriate assessment 

• where it is appropriate to offer the data subject a genuine choice, or where no other basis applies, our legal basis is normally consent 

The Bridge does not carry out any public functions and recognises that the vital interests legal basis is only to be used in the case of serious emergencies. 

It is normally the responsibility of the Operations Manager to assess the appropriate legal basis for the activities of their team and to carry out an assessment if required.  Complex or potentially controversial cases may be referred to the Board. 

11.Data protection processes and procedures at The Bridge 

The Bridge takes seriously the protection of personal data and has taken the necessary steps to ensure that it is processed safely and securely. 

• Staff and trustees (and volunteers where relevant) receive appropriate regular training on data protection issues including IT security 

• The Bridge’s IT, Acceptable Use and Data Security Policy sets out the procedures and best practice that all staff and trustees and volunteers must adhere to in order to ensure the security, integrity, and availability of data and resources 

12.Data subject rights 

The Bridge recognises the rights of individuals, and in particular those that are applicable to The Bridge’s processing: to be informed; to access their data; to rectification of inaccurate data; to erasure of data in certain circumstances and to restriction of processing in certain circumstances. 

Subject Access Requests 

The Bridge aims to comply with written requests for access to personal information as quickly as possible but will ensure that it is provided – in accordance with guidance from the Information Commissioner – within the one month timeframe specified by GDPR.   

Third Party requests for data 

In certain circumstances data protection legislation allows personal data to be disclosed for purposes such as law enforcement without the consent of the data subject.  Under these circumstances, The Bridge will disclose the requested data having first ensured that the request is legitimate. This may include taking legal advice. 

13.Data Breaches 

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.  A breach can be accidental or deliberate. Examples of breaches can include: 

• Access by an unauthorised third party 

• Deliberate or accidental action (or inaction) by a controller or processor 

• Sending personal data to an incorrect recipient 

• Computing devices containing personal data being lost or stolen 

• Alteration of personal data without permission 

• Loss of availability of personal data 

Any breach of data protection must be reported immediately to the Operations Manager for inclusion in the data breach log.  Information recorded must include date of the breach, number of people affected, nature of the breach, description of the breach, how we became aware of the breach, description of the data in the breach. 

Following a breach immediate remedial action should be taken and the details recorded in the breach log.  This should include the consequences of the breach, whether all individuals affected have been informed of the breach, what remedial action was taken and the date the ICO was informed of the breach (if required). 

The Bridge expects all staff to report data breaches promptly, not to hide them. The Bridge will take the promptness of staff actions into account when managing the situation.  

Breaches must be reported to the ICO if there is a likely risk to people’s rights and freedoms.  If, on assessment, the risk is unlikely there is no need to report it however details of the breach and justification of the decision not to report it must be documented in the breach log.  

More information on data breaches can be found on the ICO website. 

The data breach log should be used in the same way as the accident book, namely even the most minor breach should be recorded as this becomes a very useful resource for training and data security strategy.   

Status of the Policy 

This policy has been approved by The Bridge Board of Trustees. Any breach will be taken seriously and may result in disciplinary action.