C·A·T Privacy Policy

About us

In this Privacy Policy, references to ‘we’ or ‘us’ are to Canterbury Archaeological Trust, a company limited by guarantee registered in England, no. 1441517 and a Registered Charity in England and Wales, (no. 278861). Our registered office is 92a Broad Street, Canterbury, Kent, CT1 2LU.

We will be the controller of any relevant personal data regarding employees, clients, subcontractors, landowners, trustees, volunteers, students, work experience children and their parents/guardians processed or described in this Privacy Policy as part of our operations.

We will not pass on your details to any third-party unless you give us permission to do so, or we are required to do so by law.

We keep our privacy policy under regular review and we will place any updates on this web page. This privacy policy was last reviewed on 09/11/2021.

The Data Controller for Canterbury Archaeological Trust Ltd is Alison Hicks, Director

Cookies and tracking

When you visit the Site, we don’t use cookies, we don’t generate any persistent identifiers and we don’t collect or store any personal or identifiable data. All of the data is aggregated data only and it has no personal information. All the site measurement is carried out absolutely anonymously, GDPR, CCPA and PECR compliant. This data is stored on our servers at the Amazon AWS London data centre.

We use Plausible Analytics to track overall trends in the usage of our website. For more information, please visit the Plausible Analytics Data Policy.

Exemptions

Certain data is exempted from the provisions of the GDPR including the following:

  • National security and the prevention or detection of crime
  • The assessment of any tax or duty
  • Where the processing is necessary to exercise a right or obligation conferred or imposed by law upon the business, including safeguarding and prevention of terrorism and radicalisation

Data security

Canterbury Archaeological Trust takes appropriate technical and organisational steps to ensure the security of relevant personal data. We have implemented security measures to protect the personal data that we have under our control from:

  • unauthorised access;
  • improper use or disclosure;
  • unauthorised modification

The Company ensures that all employees are aware of their responsibilities under GDPR, and provides them with the necessary advice, guidance and awareness training in handling personal data.

Processing of personal data

We are committed to complying with the General Data Protection Regulation (GDPR) in fulfilling our duty to the rights for individuals and in the collection, processing and transfer of personal information to ensure that personal data is:

  • Processed lawfully, fairly and in a transparent manner
  • Collected for specific, explicit and legitimate purposes only
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which it is collected
  • Accurate and, where necessary, kept up to date. We will take every reasonable step to erase or rectify inaccurate personal data
  • Not kept in a form which allows identification of the subject for longer than is necessary for the specified purpose(s)
  • Processed in an appropriately secure manner including protection against unauthorised use, accidental loss, destruction or damage.

Your personal data – what is it?

“Personal data” is any information relating to a (living) person that allows them to be directly or indirectly identified from that data. The processing of personal data is governed by legislation relating to personal data which applies in the United Kingdom including the General Data Protection Regulation (the “GDPR”) and other legislation relating to personal data and rights such as the Human Rights Act.

What data do we process?

Employees

Employee data is saved in secure personnel files in the main office and on our secure finance & project management system (MYOB Greentree finance). Information includes but is not restricted to:

  • A form recording Personal Details, Bank Details, Emergency Contact Information and information on Suitability for Work,
  • HMRC starter checklist,
  • Home Office right to work checklist,
  • A Fit for Work form, in which information on medical conditions and relevant prescribed medication is requested. This information enables us to ensure the safety of employees, but it does not exclude them from working with us.

This information is held securely and confidentially and only available to the HR and finance team.

Job applicants

Data from job applicants is collected in a variety of ways, for example it might be contained in application forms, CVS, from passport or identity documents, or through interviews or other forms of assessment. Data will be stored in a range of different places, including on application records, in HR management systems and on other IT systems (including email). Information will be shared internally for the purpose of the recruitment exercise. This includes members of the recruitment team, interviewers involved in the recruitment process, and IT staff if access to the data is necessary for the performance of their roles. We will not share your data with third parties unless applications for employment are successful and an offer of employment is made. We will then share data with former employers to obtain references and undertake employment background. Where applications for employment are unsuccessful, we will hold data on file for a maximum of one year from the closure of the recruitment campaign.

Clients

The majority of our clients are businesses and are not therefore supplying us with personal data other than their name along with their business contact details. Some clients are private individuals requiring our services. We only collect their name, address and phone numbers to be able to supply the required service or advice.

  • Customer information is held: on our secure finance & project management system (MYOB Greentree finance)
  • or our customer database, which is located in a restricted part of server
  • on project-specific folders that are removed for secure archiving once a project has been completed.

Subcontractors & suppliers

Checks are carried out on all subcontractors and suppliers before they are authorised to supply us with business services. Information gathered during these checks are stored in a secure location. Once approved, subcontracted business services usually supply us with contact names and business contact details. This information is held on our secure finance & project management system (MYOB Greentree finance). Some subcontractors are freelance specialists who we take on, on a temporary contract for a specific project. As such we treat them as suppliers and the data we collect is name, address, (emergency contact details if site working) and payment details to pay their invoice. This information is kept on our secure finance & project management system (MYOB Greentree finance).

Volunteers & students

Volunteers and students are asked to fill in and sign:

A Volunteer Information form, in which we ask for name, address, email and telephone numbers as well as emergency contact name and details. This information allows us to contact them and keep them up to date with opportunities for volunteering and other events.

A Fit for Work form, in which information on medical conditions and relevant prescribed medication is requested. This information enables us to ensure volunteer and student safety and comfort whilst working with us, but it does not exclude them from working with us.

This information is held securely and confidentially and only available to the HR team and relevant members of the Outreach department.

Trustees

Our Trustees supply us with their name, address, email, telephone number and date of birth for our Register of Directors form. This information is required as part of our corporate governance and the contact details are available on Companies House and the Charity Commission websites.

The full details are held securely and confidentially and only available to the Charman of the Trustees and the Director.

FCAT members

FCAT members may supply us with their name, address, email, telephone number and such banking details as are necessary for the payment of subscriptions. These data enable FCAT to manage their membership records effectively and to send individual members regular information by post and email. This mainly comprises newsletters and publications, notices of events and meetings, and information about the management and organisation of FCAT. Personal details relating to FCAT members, as listed above (hard and digital copies), are held securely and confidentially and are only available to the FCAT Membership Secretary and the FCAT Treasurer. Committee members involved in organising the distribution of printed copies of newsletters, the C·A·T Annual Report and other information of interest may see mailing details. FCAT officers, when they wish to send group emails to those members with email addresses utilise a group email address where individual names and email addresses are hidden. A single member of the Committee is charged with updating this list. If any member leaves FCAT, the Membership Secretary will remove their data from our records within of one year of the date they left.

Landowners

We need to contact landowners of sites where archaeological archives are generated to gain their permission to deposit the archive with the relevant museum to facilitate its long-term preservation. The information we request is a name and address so that we can send them a Transfer of Title form to fill in; these details are then passed to the museum who have a legitimate interest in acquiring them as part of the legal agreement that the Transfer of Title constitutes and will not use them for any other purpose than to acknowledge said Transfer of Title. At Canterbury Archaeological Trust these details are kept securely within the archives folder where only relevant Senior Managers have access and are retained at Canterbury Archaeological Trust until deposited and the Archive Transmittal Record is completed.

Landowners

We need to contact landowners of sites where archaeological archives are generated to gain their permission to deposit the archive with the relevant museum to facilitate its long-term preservation. The information we request is a name and address so that we can send them a Transfer of Title form to fill in; these details are then passed to the museum who have a legitimate interest in acquiring them as part of the legal agreement that the Transfer of Title constitutes and will not use them for any other purpose than to acknowledge said Transfer of Title. At Canterbury Archaeological Trust these details are kept securely within the archives folder where only relevant Senior Managers have access and are retained at Canterbury Archaeological Trust until deposited and the Archive Transmittal Record is completed.

Special category data

We may be required to process data that is more sensitive such as:

  • data relating to medical information,
  • gender,
  • religion,
  • race,
  • sexual orientation,
  • and criminal records and proceedings.

We do this to be able to report on our diversity profile and comply with some government legislation such as Gender pay gap reporting. It also enables us to formulate and implement employment procedures to break down barriers to equality. This data is held securely and confidentially and only available to the HR and finance team.

Right of access to information

Individuals have the right of access to their personal data held by Canterbury Archaeological Trust, subject to the provisions of the GDPR and the Freedom of Information Act 2000. Any individual wishing to access their personal data should put their request in writing to the Data Controller for Canterbury Archaeological Trust Ltd, Alison Hicks, Director, 92a Broad Street, Canterbury, Kent, CT12LU. We will endeavour to respond to any such written requests as soon as is reasonably practicable and, in any event, within 30 days from receipt of request. We do not charge a fee but if a request is manifestly unfounded or excessive we may charge a reasonable fee for the administration costs.

Right to rectification

Canterbury Archaeological Trust will endeavour to ensure that all personal data held is accurate and up to date and will amend or change data upon request if it is inaccurate. It is important that the personal data we hold is accurate and current so please keep us informed if your personal data changes during your relationship with us. Employees can pass any updates directly to the finance and HR team. We will endeavour to respond to any written requests as soon as is reasonably practicable and, in any event, within 30 days from receipt of request.

Right to erasure

Individuals have the right to have personal data erased though this right is not absolute and only applies in certain circumstances (see Article 17 of the GDPR for full details). Any individual wishing to have their personal data erased should put their request in writing to the Data Controller for Canterbury Archaeological Trust Ltd, Alison Hicks, Director, Canterbury Archaeological Trust, 92a Broad Street, Canterbury, Kent, CT12LU. We will endeavour to respond to any such written requests as soon as is reasonably practicable and, in any event, within 30 days from receipt of request. We may refuse to comply if a request is manifestly unfounded or excessive or we may charge a reasonable fee for the administration costs in these circumstances.

Right to restrict or object to data processing

Individuals have the right to request the restriction or suppression of their personal data, though this is not an absolute right and only applies in certain circumstances (see Article 18 and 21 (1) of the GDPR for full details). Individuals can also object to the processing of their personal data to stop it being used for direct marketing. Any individual wishing to restrict the processing of their personal data should put their request in writing to the Data Controller for Canterbury Archaeological Trust Ltd, Alison Hicks, Director, Canterbury Archaeological Trust, 92a Broad Street, Canterbury, Kent, CT12LU. We will endeavour to respond to any such written requests as soon as is reasonably practicable and, in any event, within 30 days from receipt of request. We may refuse to comply if a request is manifestly unfounded or excessive or we may charge a reasonable fee for the administration costs in these circumstances.

Right to data portability

Individuals have the right to obtain and reuse their personal data for their own purposes i.e. in a structured, commonly used and machine-readable format and/or have it transmitted directly to another controller. We will comply with this where it is technically feasible. Any individual wishing to have obtain their personal for this purpose should put their request in writing to the Data Controller for Canterbury Archaeological Trust Ltd, Alison Hicks, Director, Canterbury Archaeological Trust, 92a Broad Street, Canterbury, Kent, CT12LU. We will endeavour to respond to any such written requests as soon as is reasonably practicable and, in any event, within 30 days from receipt of request. We may refuse to comply if a request is manifestly unfounded or excessive or we may charge a reasonable fee for the administration costs in these circumstances.

Automated decision-making including profiling

Canterbury Archaeological Trust does not make any automated individual decision-making or profiling.

Retention of data Canterbury Archaeological

Trust may retain data for differing periods of time for different purposes as required by statute or best practices. Other statutory obligations, legal processes and enquiries may also necessitate the retention of certain data. It should be noted that our standard company disaster recovery process requires regular and secure data back-ups.

Transfer of data abroad Canterbury Archaeological

Trust will only transfer data to countries or territories outside of the European Economic Area (EEA) if their systems comply with measures giving equivalent protection of personal rights through international agreements.

Data Breach Notification

Canterbury Archaeological Trust has a response plan for addressing any personal data breaches that occur either by accidental or deliberate causes.

Contact details

If you have any questions about this Privacy Policy, please contact the Data Controller for Canterbury Archaeological Trust Ltd, Alison Hicks, Director, 92a, Broad Street, Canterbury, Kent, CT12LU.