Privacy Policy

1. Policy statement

Neurodiversity in Business (NiB) is committed to operating within the requirements of The General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA 2018).

Information will be collected about member organisations, potential member organisations, and NiB team members; including those on the advisory board, co-production board, volunteers list and other active stakeholders.

We will continue to review this policy in line with changes, court cases, as our activities amend and, where appropriate, updated advice from the ICO.

For the purposes of our privacy policy, we use all definitions provided by the ICO relating to Personal Data, Data Subjects, Data Processors and Controllers, which are available on their website (What is personal data? | ICO). As these are changed, we will assess the impact on our organisation and update internal processes accordingly.

2. Types of personal information we collect

We currently collect and process the following information:

  • Personal identifiers, contacts and characteristics (name, contact details including email and phone numbers where provided)
  • Employer name where provided / publicly available
  • Photograph of our key staff (where provided directly)
  • Your IP where accessing our website (see cookies policy)
  • Banking information of suppliers and donors (where required to process authorised payments)

3. How we get the personal information and why we have it

Most of the personal information we process is provided to us directly by you through a form on our website (www.neurodiversityinbusiness.org) or by providing it in writing directly to one our team members, for one of the following reasons:

3.1 Organisations:

  • To enable us to hold accurate records of our key contacts within member organisation for partnering activities
  • To enable us to invite you to events which we believe may be of interest to you via direct marketing
  • Enable us to undertake anonymised analysis (using employer information, where known) of the organisations we are working with, such as events attended, number of people reached
  • Fulfil data subject access requests
  • Understand the effectiveness of our website in providing information of use to yourself through tracking the “bounce rate” and other website metrics
  • Respond to any Data Subject Access Requests, requests for comment, or complaints
  • If required, to allow us to work with third party events organisers for an event which you have told us you will be attending
  • To record and report on any donations provided

3.2 Team Members (including trustees), guests and donors

  • To enable us to operate through holding the information on internal team members supporting the operation of the organisation
  • Understand the effectiveness of our website in providing information of use to yourself through tracking the “bounce rate” and other website metrics
  • Respond to any Data Subject Access Requests, Investigate and respond to complaints, legal claims or other issues. At times we might need to use your personal information to prevent fraud or identify misuse of our services.
  • To comply with any necessary legislative requirements from operating a charity, such as the Charities Act
  • To enable us to invite you to face-to-face events (including taking any necessary reasonable adjustments to keep you safe)
  • To enable us to operate the charity through holding internal organisational charts and role holders to those identified required roles
  • To process gifts & hospitality, or donations in compliance with UK law
  • Identify effectiveness metrics through anonymised & pseudonymised data, such as number of attendees at our events
  • Carry out statistical analysis in order to develop organizational strategy and help us to understand how we can improve our services and meet the needs of people that require our help
  • Monitor and record information on stakeholders and volunteers for the purpose of voluntary support, payment and contractual services to suppliers, and to ensure health and safety of those working with us
  • To contact you about specific situations where your consent is required to perform other processing
  • To contact you directly about events which we believe you may be interested in

4. Lawful basis & sharing

Under the General Data Protection Regulations (GDPR), the lawful bases we rely on for processing this information are:

  • To comply with UK legislative requirements
  • We have a legitimate interest for one or more of the purposes above
  • Your consent. You are able to remove your consent at any time. You can do this by contacting compliance@neurodiversityin.business

5. How we store your personal information

Depending on the mechanism from which your information was provided, your information is securely stored on a third-party hosted website.

Where provided internally by Team Members and the Leadership team directly, this information is stored within a third-party Cloud file store, which is inaccessible to anyone who has not been invited to join NiB.

We keep contact details for 12 months after a team member has left the organisation to ensure continuity of services and reallocation (some activities we perform are annual such as our annual conference).

We will then dispose your information by removal of the file from our storage, deletion of any private messages and associated groups, and deletion from any forms submitted via the website. Ownership of each of these activities will be owned by an appropriate team member.

Where any information relates to analytics such as attendance at events or number of neurodivergent people who have attended any event in a 12 month period, it will have been anonymised before being used for statistical purposes.

6. Data Transfers

Information is accessed directly from our server space and edited online – offline copies and emailing documents containing any personal data is strictly prohibited.

NiB does not use removable media such as USB mass storage devices to protect your data from download to these formats.

We do not email personal information except as a last resort; and in this situation it will always be encrypted via a password communicated separately.

NiB will never store hard copies of Personal Data, except where delegate names are required at face-to-face events. In this event, they will be confidentially destroyed within 24 hours of the event by the nominated event organiser (see “Who we share information with” below)

7. Who we share information with

Other than internal sharing for the purposes listed above, we will not release your data without your expressed consent other than to:

  1. to comply with UK legislation
  2. in direct response to UK or EU court proceedings, when accompanied by an appropriate formal request from the courts outlining the purpose and scope
  3. to authorise payment transactions where required
  4. Engage with solicitors to defend the organisation

We may share your data with events organisers which you have accepted an invitation to where relevant (e.g. dietary requirements). This data will be destroyed after the event.

We will not sell your data to another organisation.

Personal data is not transferred, stored or, accessed outside of Europe without additional controls in place to ensure compliance and integrity, including, but not limited to, Standard Contractual Clauses for third-party services.

If required by nature of a request from a Data Subject or to host an event, we may engage professional legal or health and safety services to ensure we are compliant with any applicable legislation. Where possible, this will be anonymised prior to sharing.

8. Your data protection rights

Under data protection law, you have rights including:

  • Your right of access – You have the right to ask us for copies of your personal information.
  • Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  • Your right to erasure – You have the right to ask us to erase your personal information unless we are required to retain it for a defined time period (e.g. to close a complaint, comply with legislation).
  • Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information unless we are required to provide it for legislative purposes.
  • Your right to object to processing – You have the the right to object to the processing of your personal information in certain circumstances (see above).
  • Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in line with the requirements above and subject to your written approval.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you, unless there are extenuating circumstances (such as the amount of data and duration).

To protect your data, proof of identity may be required before we process any request for a copy of your Personal Data so that we only provide your data to yourself or a nominated individual on your behalf.

Information will be provided to you in a standardised format, compatible with all major operating systems.

Please contact us at compliance@neurodiversityin.business if you wish to make a request.

9. Failure to Comply with This Policy

If a volunteer or internal team member fails to comply with this policy, they may be subject to disciplinary procedures which will be applied according to the severity of the incident but could result in dismissal for gross misconduct.

Any supplier failing to act as a data processor on our behalf in line with the contractual agreement will be reported to the ICO and blacklisted for use by NiB.

 10. How we use this policy internally

Anyone joining NiB must familiarise themselves with this policy prior to engaging in any activity on behalf of NiB.

Anyone found to not be acting in accordance with this privacy policy will face immediate disciplinary action, up to, and including, expulsion from the organisation.

 11. How to complain

If you have any concerns about our use of your personal information, you can make a complaint to us at compliance@neurodiversityin.business .

You can also complain to the ICO if you are unhappy with how we have used your data.

The ICO’s address:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk