Privacy Information Notice

Who we are

We are Crew 2000 (Scotland).  We are a charity SCO21500 and a private company limited by guarantee SC176635 registered at 32-32A Cockburn Street, Edinburgh, Scotland EH1 1PB.

Crew exists to reduce harm, challenge perceptions and help people make positive choices about their use of drugs and sexual health by providing non-judgemental, credible and up to date information and support. Our vision is to reduce drug and sexual health related harms and stigma, improving mental and physical health without judgement.

We’re committed to protecting and respecting your data privacy and being transparent about what we do with it. This Privacy Policy sets out how and why we obtain, use and protect your personal information. 

Collection, processing and storage of personal data

Crew 2000 (Scotland) collects, processes and stores personal data in order to carry out and promote our organisational aims of providing harm reduction information, advice, support, training and consultancy.

This Privacy Information Notice details what personal data we collect, how we collect it, why we collect it, the lawful basis for processing it, where we store it and how long we store it for. The notice also provides information about how to request, modify or delete the personal data we hold through a Subject Access Request (SAR) and how to contact us with any questions about our data protection policies or procedures.

What do we mean by personal data?

Personal data is any information that can be used to identify you. For example, it can include information such as your name, date of birth, email address, postal address, telephone number, IP address and information relating to your health and personal circumstances.  

Data protection law recognises that certain categories of personal data is more sensitive. These are known as ‘special category data’ and include information relating to health, race, ethnic origin, religious beliefs, political opinion, genetic and biometric data, gender identity,  sex life or sexual orientation and criminal convictions and offences. We collect special category data along with other personal data where there is a need to do so such as when we working with you as part of the counselling, Drop-in, outreach or training services we provide. We may use this information to identify which services would be of most help to you and to support you. 

How we collect personal data

What we collect

  • Name
  • Email address
  • Other information you provide

Why we collect it

  • To respond to enquiries

Lawful basis for processing

  • Consent

Where we store it

  • UK based secure server (our website)
  • Local drives and backups
  • Microsoft Outlook

Third party processors/ International data sharing

  • Microsoft Outlook

What we collect

  • Email address
  • Name if provided
  • Organisation if provided

Why we collect it 

  • To send updates and other information about our services

Lawful basis for processing

  • Consent

Where we store it

  • UK based secure server (our website)
  • Mailchimp

Third party sharing/ International data sharing

  • Mailchimp – a US-based email marketing service

You have the right to opt-out of marketing and fundraising communications and you have the right to choose how you wish to receive information from us. If you do not want to receive direct marketing communications from us then you can change your marketing preferences at any time by contacting us using the details in the ‘Contact us’ section.  

You can also click on the ‘unsubscribe’ button on all marketing and fundraising emails to opt-out of receiving future communications from us by email. 

What we collect

  • Email address
  • Information as you provide e.g name, phone number, company/organisation, job title
  • Other information (eg CVs, internship requests) as provided by you

Why we collect it

  • To send and respond to communications

Lawful basis for processing

  • Performance of contract/ Legitimate interest

Where we store it

  • Microsoft Outlook

Third party sharing/ International data sharing

  • Microsoft Outlook

What we collect

  • Name
  • Email address
  • Phone number
  • Company/organisation
  • Job title
  • Company/organisation Address

Why we collect it

  • To send and track communications
  • To manage training and enterprise

Lawful basis for processing

  • Performance of contract/ Legitimate interest

Where we store it

  • Salesforce

Third party sharing/ International data sharing

  • Salesforce

What we collect

  • IP address

Why we collect it

  • To monitor and analyse usage on website

Lawful basis for processing

  • Legitimate interest

Where we store it

  • Google

Third party sharing/ International data sharing

  • Google

What we collect

  • Name
  • Email address
  • Phone number
  • Organisation Address
  • Financial Details

Why we collect it

  • To manage invoicing, payments and financial accounting tasks

Lawful basis for processing

  • Performance of contract

Where we store it

  • Xero
  • Secure server

Third party sharing/ International data sharing

  • Xero

What we collect

  • Phone number
  • Any other details you provide

Why we collect it

  • To provide a text advice and support service

Lawful basis for processing

  • Consent
  • Performance of contract

Where we store it

  • TextAnywhere
  • Microsoft Office

Third party sharing/ International data sharing

  • TextAnywhere
  • Microsoft Office

What we collect

  • Instagram Username
  • Any other information you provide

Why we collect it

  • To offer a support and advice service

Lawful basis for processing

  • Consent
  • Performance of contract

Where we store it

  • Instagram

Third party sharing/ International data sharing

  • Instagram
Please review Instagram privacy and data policies. 

What we collect

  • Facebook Username
  • Any other information you provide

Why we collect it

  • To offer a support and advice service
  • To process donations

Lawful basis for processing

  • Consent
  • Performance of contract

Where we store it

  • Facebook
  • Microsoft Office
  • Secure Service

Third party sharing/ International data sharing

  • Facebook
  • Microsoft Report
Please refer to Facebook privacy and data policies. 

What we collect

  • Name
  • Email address
  • Other contact details
  • Qualifications
  • Employment history

Why we collect it

  • So that a designated member of staff can contact you in relation to your job application after shortlisting  
  • So that our recruitment panel can assess your application against the criteria in the person specification 

Lawful basis for processing

  • Legitimate interest
  • Contractual obligation

Where we store it

  • Ethical Job Seeker
  • JotForms
  • Microsoft Office

Third party sharing/ International data sharing

  • Ethical Job Seeker
  • JotForms
  • Microsoft Office

What we collect

  • Name (as provided) 
  • Other details you provide

Why we collect it

  • To process donations from you or provide you with support when taking part in a fundraising event for Crew 

Lawful basis for processing

  • Legitimate interest

Where we store it

  • JustGiving
  • Donation platform used
  • Salesforce
  • Microsoft Office
  • Secure server

Third party sharing/ International data sharing

  • JustGiving
  • Donr
  • Facebook 
  • Paypal
  • Charities Aid Foundation 
  • Charities Trust
  • Salesforce
  • Microsoft Office

What we collect

  • Name (as provided) 
  • Other contact details you provide
  • Documentation you provide

Why we collect it

  • To carry out instructions provided by solicitor and perform our Expert Witness Service

Lawful basis for processing

  • Fulfilment of contract
  • Legitimate interest 
  • Consent

Where we store it

  • Microsoft Office
  • Salesforce
  • Secure server

Third party sharing/ International data sharing

  • Microsoft Office
  • Salesforce

What we collect

  • Name (as provided)
  • Email address
  • Other contact details you provide

Why we collect it

  • To provide naloxone training and access to naloxone 
  • To monitor and record the supply of naloxone 

Lawful basis for processing

  • Consent

Where we store it

  • Microsoft Office
  • Secure server
  • NHS Scotland NEO Database

Third party sharing/ International data sharing

  • Microsoft Office
  • NHS Scotland NEO Database

What we collect

  • Name (as provided)
  • Email address
  • Other contact details you provide

Why we collect it

  • To provide access to events and training
  • To supply follow up information relating to an event or training

Lawful basis for processing

  • Consent
  • Fulfilment of contract
  • Legitimate interest 

Where we store it

  • Microsoft Office
  • Secure server
  • Crowdcast
  • Eventbrite
  • Zoom
  • Salesforce

Third party sharing/ International data sharing

  • Microsoft Office
  • Crowdcast
  • Eventbrite
  • Zoom
  • Salesforce

Cookies

Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. The information below explains the cookies we use and why.

Cookie: Universal Analytics (Google)

Name: _gat, _ga, _gid

Purpose: 

These cookies are used to collect information about how visitors use our website. We use the information to compile reports and to help us improve the website. The cookies collect information in ananonymous form, including the number of visitors to the website,where visitors have come to the website from and the pages they visited.

Read Google’s overview of privacy and safeguarding data

How do I change my cookie settings?

Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set, visit www.aboutcookies.org or www.allaboutcookies.org.

Find out how to manage cookies on popular browsers:

To find information relating to other browsers, visit the browser developer’s website.

To opt out of being tracked by Google Analytics across all websites, visit https://tools.google.com/dlpage/gaoptout.

Special category personal data

We do not collect, process or store any special categories of personal data such as race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, gender identity, sex life or sexual orientation, or criminal offence data (except where necessary to carry out performance of employment contracts – if you are an employee of Crew please refer to the Employee Privacy Policy for details of how your personal data is collected, processed and stored).

Retention and deletion of personal data

We are required by UK government regulations to keep certain types of data (eg payroll, accounts and VAT records) for a minimum of 7 years. We also need to keep details of the fulfilment of business contracts for several years after completion of a contract as part of our professional indemnity insurance.

If you contact us using Facebook or Instagram platforms please refer to their privacy and data retention policies.

Who do we share your personal data with?

We will never sell your details to any third parties however, we may pass your information to our third-party service providers, agents, subcontractors and other associated organisations for the purposes of completing tasks and providing services to you on our behalf.  

When we use third party service providers, we disclose only the personal data that is necessary to deliver the service and our contract requires them to keep your information secure and not to use it for their own direct marketing purposes. 

We will not sell or rent your information to third parties.

It may be necessary to share your personal data where there is a legal requirement to do so.

Your legal rights in relation to personal data and how Crew addresses these

This privacy policy forms part of your right to be informed about what personal data is collected about you and what is done with that data.

More information on the the right to be informed

You may make a subject access request to ask for any personal data that we hold on you. We are obliged to answer your request within 30 days, free of charge. To make a Subject Access Request please complete the form below or email admin@crew2000.org.uk

More information on the right of access

You may ask for any data we hold on you that is incorrect to be corrected by us. To make a data rectification request please email admin@crew2000.org.uk.

More information on the right to rectification

You may ask for personal data about yourself to be removed, subject to other considerations e.g. we are required by law to keep invoice data for at least 6 years. To make a data erasure request please email admin@crew2000.org.uk

More information ono the right to erasure

You may ask to restrict the processing of you personal data in certain circumstances. To make a request to restrict processing of your personal data please email admin@crew2000.org.uk.

More information on the right to restrict processing

The right to data portability gives individuals the right to receive personal data they have provided to a controller in certain circumstances. To make a data portability request please email admin@crew2000.org.uk

More information on the right to data portability

You can object to your personal data being used for marketing purposes. We do not use data for marketing except with your consent and you are free to change your preferences at any time.

More information on the right to object

We believe that the digital rights of young people should be championed. 

The 5Rights Framework lays out five important digital rights of children and young people. 

You can read more about the 5Rights campaign in Scotland on the Young Scot website.

How we protect your personal data

We maintain a high level of physical and electronic security in relation to the collection, storage and disclosure of your information. We take reasonable steps to ensure that any information we hold about you is protected.

What data breach procedures we have in place

We will document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. We will notify the Information Commissioner Office (ICO) no later than 72 hours if the breach is likely to result in a risk to the rights and freedoms of natural persons in accordance with Article 55.

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, will we communicate the personal data breach to the data subject without undue delay. This communication will describe in clear and plain language the nature of the personal data breach and include:

  1. the name and contact details of the data protection officer or other contact point where more information can be obtained;
  2. describe the likely consequences of the personal data breach;
  3. describe the measures taken or proposed to be taken by us to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

This communication to the data subject is not required if the conditions in Article 34 – 3a), b) or c) – are met :

  • the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
  • the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
  • it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

What third parties we receive data from

We do not buy personal data from any third parties. We may receive personal data from partner organisations for the purposes of referral to a service for example. 

What automated decision making and/or profiling we do with personal data

We do not use automated decision making or undertake profiling with personal data.

Privacy Notice updates

We may change this Policy from time to time so please check this page occasionally to ensure that you’re happy with any changes. By using our website, you’re agreeing to be bound by this Policy.

This Privacy Information Notice was last updated on 28 May 2021

How to contact us

If you are unhappy with the way we handle your personal data and we have not been able to resolve it, you have the right to lodge a complaint with the ICO.

The ICO’s address:             
Information Commissioner’s Office 
Wycliffe House 
Water Lane 
Wilmslow 
Cheshire 
SK9 5AF 

Helpline number: 0303 123 1113 
Website: www.ico.org.uk

Any questions regarding this Policy and our privacy practices should be sent by email to admin@crew2000.org.uk or by writing to Crew 2000, 32-32a Cockburn Street, Edinburgh, EH1 1PB

Want to chat?
Text 07860047501