Privacy Policy
Three Rings is a service provided by Three Rings CIC, a company registered in England & Wales (number 06820837) and registered as a data processor with the Information Comissioner's Office (number ZA063766). We process personal data in compliance with the Data Protection Act (DPA), General Data Protection Regulation (GDPR), and other relevant legislation, as described on this page.
Queries and subject access requests should be addressed to our Data Protection Officer, by email to dpo@threerings.org.uk.
Who controls my data?
Three Rings processes two distinct classes of personal data: (a) personal data collected and controlled by our client organisations on their volunteers (note that organisations routinely process additional personal data that is not stored in Three Rings), and (b) personal data relating to users of the Three Rings service. The difference between these is laid-out in the table below (using the definitions of data controllers and processors from the Data Protection Act 1998.
Our services are delivered to client organisations in accordance with our terms & conditions for organisations and to individual users in accordance with our terms & conditions for users.
| Type of personal data | Examples | Controller | Processor | Who should I contact? | |
|---|---|---|---|---|---|
| 1. | Personal data not stored on Three Rings | Hard-copy application forms, minutes of meetings. | Client organisation | Client organisation | Client organisation |
| 2. | Personal data stored on Three Rings by organisations | Information in the Directory, Comms email history, Filestore, Wiki, Admin Logs, comments on the Rota. | Client organisation | Three Rings CIC | Client organisation, or if that's not possible, Three Rings CIC (note limitations below) |
| 3. | User data | Usernames, IP addresses, technical logs. | Three Rings CIC | Three Rings CIC | Three Rings CIC |
How is my data used?
Three Rings CIC collects user data for the purpose of authenticating you to the system, informing you on topics about which you have specifically expressed an interest (e.g. by subscribing to a weekly digest of changes at an organisation where you volunteer), contacting you as required for account maintenance purposes (e.g. advising you if there's reason to believe that your account may be insecure), and as required by law. Only your username and technical logging data is retained by default: you may choose to provide us with other personal data if you wish and you may change this at any time via the My Account section of Three Rings.
Organisations with whom you volunteer may use the Three Rings service to store other data, such as telephone numbers, postal addresses, photos, and emergency contact details. This can include sensitive personal data such as ethnicity and sexuality. Three Rings CIC is not the controller of this data. Three Rings CIC encourages organisations to publish a privacy statement accessible through Three Rings: where these are available, they can be read for organisations with whom you have a relationship via your My Account page by clicking the My Privacy Information button.
Is my data shared with anybody else?
No: identifiable personal data controlled by Three Rings CIC is not shared with any third-party. Anonymised statistical data is generated and used for research and promotional purposes and anonymised data is used internally for development and testing purposes as described under Data Anonymisation, below.
Organisations set their own policies regarding the sharing of data; consult the organisations with whom you volunteer or check the privacy policy they publish within Three Rings.
With your consent, an organisation with whom you volunteer may permit Three Rings CIC to process your personal data through Amazon SES ("sub-processing"), our email relaying/delivery service. This is used only for the purpose of delivering you emails directly related to your Three Rings account, emails sent to you by organisations where you volunteer, or automated emails to which you specifically opt-in (e.g. weekly digests from organisations where you volunter). If you choose to manage your own Three Rings account rather than having it managed by an organistion with which you volunteer, you will need to consent to this sub-processing so that we can send you emails relating to the management of your account. Tools are provided to make it as easy as possible to unsubscribe from any such email communication with a single click.
Is my data kept securely?
Three Rings' data is stored on a server leased exclusively to Three Rings CIC in a UK-based datacentre with 24/7 security, remotely-monitored CCTV, and access control systems throughout. Connections to the server whether by service users or Three Rings CIC staff take place exclusively over high-grade encrypted connections: no data leaves the server unencrypted. Off-site backups are stored in datacentres exclusively within the UK and European Union.
Security researchers/engineers are encouraged to review our security.txt file (standard). We encourage ethical disclosure.
What are my rights?
As an individual, you have certain rights regarding your personal data. This section describes how you might exercise some of those rights, and how Three Rings facilitates doing so. Your rights include:
Right to be informed
You have a right to be informed about the collection and use of your personal data. This page describes how Three Rings CIC uses your data; consult your My Account page to check if organisations with whom you have a relationship have published a privacy policy through Three Rings, and/or contact them directly with any questions about how your data are used.
Right of access
You have a right to access your personal information. If you're interested in the personal information stored about you by an organisation with whom you have a relationship, e.g. you volunteer with them, start from the My Privacy Information on your My Account page: this will show you the majority of personally-identifiable data directly-connected to your account stored anywhere within the Three Rings system. We'd recommend that you address any subject access request to the organisation who controls your data in the first instance: they are likely to have personal data that is not stored on the Three Rings system and is as-such not processed by and completely inaccessible to Three Rings CIC.
If you address a subject access request to Three Rings CIC, we can respond with all personal information that we detect that is stored within Three Rings and in any other system that we operate (e.g. our help/support system), but we cannot help you access information controlled by an organisation with whom you volunteer if it is inaccessible to Three Rings CIC: you will need to contact that organisation. We can also put you in contact with the organisations who we believe may hold additional data about you: please let us know in any subject access request exactly what information you're looking for to allow us to assist you as quickly and completely as possible.
Right to rectification
You can change the username and any other information stored on Three Rings by Three Rings CIC via your My Account page. Organisations with whom you volunteer may permit you to change your personal details directly via your Directory page, but if not, contact that organisation to have any corrections made.
Right to erasure ("right to be forgotten")
You can close your account, which will be immediately deleted, at any time from your My Account page. This terminates your relationship with Three Rings CIC but does not delete any information held about you by any organisations with whom you have a relationship: to request that this is done, contact that organisation.
Data Anonymisation
Three Rings anonymises personal data before we use it for our own purposes. For example, we statistically amalgamate data when using it to produce statistical reports about the service, and we irreversibly randomise data when we use it for development or testing purposes.
Logging
When someone visits 3r.org.uk we collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site and to diagnose faults when errors occur. This log data will, where applicable, be associated with the identity of the individual using the service, if the user is logged-in to the system. By logging in to the system, you agree that your data may be used in this manner. This does not affect your rights.
When an individual's account is closed and purged, all personally-identifiable data logged about them is anonymised and can no longer be directly associated with that individual.
Contacting us
Three Rings CIC is committed to the legal and ethical management of the personal data under our control. If you have any queries about any of this, or you'd like help with your data, get in touch and we'll be happy to assist you.