Privacy Policy

Privacy Notice

Our privacy policy

This document explains why we collect your personal data, what we record, how it is used and stored, and what rights you have relating to it.

We are:

  • The Outward Bound Trust, an educational charity, which provides residential and non-residential outdoor learning programmes to young people who come to us as individuals or with their school, college or youth group.
  • Outward Bound Corporate Ltd, a wholly-owned subsidiary of The Outward Bound Trust, which, on behalf of the charity, sells commercial residential outdoor learning programmes for apprentices and graduates. All of its profits go to the charity.

For all practical purposes, we are one organisation. The policies, staff and management systems of The Outward Bound Trust also cover Outward Bound Corporate Ltd and so this Privacy Statement applies to both companies.

The Outward Bound Trust is data controller for all personal data covered by this document. Outward Bound Corporate Ltd is also a joint controller with The Outward Bound Trust for personal data relating to the apprentice and graduate courses that it sells.

There is a single point of contact for The Outward Bound Trust and Outward Bound Corporate Ltd:

Telephone: 01931 740 000

Email: enquiries@outwardbound.org.uk

Address: Hackthorpe Hall, Hackthorpe, Penrith, Cumbria.

We are committed to keeping your personal data safe and secure, and to meeting the requirements of the UK General Data Protection Regulation (“GDPR”), the Data Protection Act 2018 (“DPA”), the Privacy and Electronic Communication Regulations 2003 (“PECR”) and other relevant data protection law.

We keep this Privacy Statement up to date to help you understand what we do with your personal data. This is version 7.0 of this document, and we last updated it on 12/07/2022.

1. Your data and how we use it

1.1 Summary

We protect your personal data and will never sell it to anyone.

We collect and process personal data to fulfil our charitable purposes and to deliver courses to clients. When we collect your personal data, we aim to be clear about our reasons for doing so, and we will only use it in ways that you would reasonably expect.

In general, when you:

  • visit our website
  • communicate with us
  • apply for or book a course with us
  • take part in a course or event with us
  • donate to us;

at some point we will need to collect and use some of your personal data. We will do our best to keep your information up to date. Please let us know if your details change.

We want to be open, honest and fair in the way that we use your data. Section 4 of this Privacy Statement gives you details of your legal rights over your personal data.

If you aren’t yet a donor or customer, we might use some publicly available data to help us to get to know you. This is in our legitimate interests as a charity dependant on fundraising and course bookings for income. You have the right to opt out of marketing and fundraising messages at any time.

We might also sometimes combine information that you’ve already given us with data from publicly available sources, such as information about the area where you live. This is so we can better understand you as a young person, customer or donor. This then helps us to work and communicate more effectively. Again, this is in our legitimate interest as a charity.

We keep your data secure and continually improve our systems and processes, using audits and expert advice to help us.

We use carefully chosen suppliers to help us with specific tasks. This sometimes means we need to share some of your personal data with them. For example, this could be to send you an email newsletter that you’ve opted in to, or to process a payment. We share only the information needed to carry out the particular task. Our contracts with our suppliers require them to only act on our instructions, to keep your data secure and to comply with data protection laws. We always keep control of your data.

Like any other organisation in the UK, if asked by the police, or other regulatory or government authority, we may be required by law to pass on your personal data to them, and we might not be allowed to tell you if this happens.

The rest of section 1 goes into more detail about what we do with your personal data depending on your relationship with us.

1.2 When you visit our website

When you use our website, we collect and process certain types of personal data and place some cookies on your device. For more details, please see the website privacy notice at https://www.outwardbound.org.uk/your-personal-data

1.3 If you are a course participant or applicant

If you are completing a participant information form for someone else (such as your child), you should tell them that we will have their data and that they have certain rights relating to it. Show them this section of the Privacy Statement and help them to understand it.

If you are a course participant (or applicant), we may use your personal data for the purposes of:

  • Processing your course booking
  • Administering your course including any allocation of charitable funding
  • Managing your health, safety and wellbeing and that of people around you
  • Statistical analysis to aid evaluation, improvement and reporting

We may be given some of your personal data by your school/college or employer, or by the person who booked your course. This information helps us to plan and prepare your course and accommodation, and usually includes:

  • your name
  • gender
  • age
  • and sometimes, your school/college class, your job role, or other contextual information about you or the group you are coming with.

We require you to complete a secure online Participant Information Form before you can take part in an Outward Bound course. On this form we ask for some sensitive personal information, including:

  • date of birth
  • next of kin
  • gender
  • detailed medical information, including allergies and medical conditions
  • information on your dietary needs
  • if you are disabled, information about your access needs
  • any other information you may decide to tell us that helps us look after you.

This sensitive data is strictly confidential, and we take extra care with it. We mainly use it to manage the health, safety and wellbeing of you and those around you, including to provide appropriate support and medical care if required.

After your course, we need to keep this data along with other records about your time with us. This helps us to meet our legal responsibilities. We won’t get rid of this information for at least three years after your course if you are over 18. If you are under 18, we need to keep it until you are at least 21 years old.

The lawful condition for processing the sensitive data for health, safety and wellbeing purposes is substantial public interest – safeguarding of children and individuals at risk.

We also ask for some sensitive data about your background and characteristics. This is used for statistical analysis. Usually this is information you’ve chosen to tell us on the Participant Information Form. For certain funded courses we might also ask you for extra information. We anonymise and aggregate sensitive data as soon as possible in the analysis process. This anonymised data is then used to help us understand and improve how we include as many people as possible, and to help us report to donors and to partner organisations (see 1.3.2 below).

The statistical analysis of sensitive data is carried out in accordance with UK GDPR Article 89 and is done in our legitimate interest.

During or after your course we may also collect:

  • your responses to any evaluation questions

This information is used to evaluate and report on the impact of our work and to help us improve our courses. It is anonymised whenever possible. We will never identify you in a report or case study without your express permission in advance.

  • any feedback you give us

We use this information to keep improving our centres and courses. Feedback and evaluation information is used in line with our legitimate interests.

We also collect:

  • your contact details

We may need to send you important information about your course. You can’t opt out of receiving this type of message.

  • your (and your parent or guardian’s) preferences for receiving marketing messages from us, and contact details for doing so.

You are in control of whether to receive marketing messages from us. Our marketing is done in line with the legitimate interests of the charity.

We may also hold records of any written communication with us.

1.3.1 Working with your school, college or employer

If you come to us with your school, college or employer, we might need them to help us to make sure that Personal Information Forms are completed by you and other people on your course. Your school, college or employer cannot see what you have entered on the form. We do tell them whether you have completed the form or not.

Your school, college or employer may share other information about you with us, and we may share information with them about you. This is part of how we work in partnership to look after you before, during and after your time with us, which includes fulfilling our safeguarding responsibilities.

If you are an Employee Ambassador, we will usually require you to undergo a check with the Disclosure and Barring Service. We will tell you what additional information we need you to supply to facilitate this, and we will need you to show us the DBS certificate that is issued to you. We keep a record that we have done this.

1.3.2 Working with partners

We deliver some courses that involve working with partner organisations. For example, some courses include a John Muir Award, which is a certificate scheme run by the John Muir Trust. If you come on a course incorporating the John Muir Award, we will tell the John Muir Trust your name and the Award level you’ve achieved so that they have a record of your Award. We also give them anonymised statistics on who has achieved the Award.

From time to time, we might offer other third-party awards as part of our courses. The arrangements for these are similar to those for the John Muir Award.

Other courses are funded in whole or part by donor organisations or individuals. Our agreements with these partners sometimes require us to share anonymised demographic data with them, or to report on the results of our statistical analyses of participant data.

1.3.3 Funded programmes

If you apply for a place on a funded programme (such as the Mark Scott Leadership for Life Award, or Scotland’s Next Generation), we may combine the information you give us with publicly available information about the area where you live such as data from indices of deprivation. This helps us to allocate places effectively, to match you to a donor, and to help us report to our donors on how we use their money.

1.4 If you came on an Outward Bound course in the past

We keep an archive of historical courses. If you came on a course with us in the past, we may have records of:

  • your name, age and other basic information about you at the time
  • photographs of you during your course
  • your detailed course report and other paperwork from the course.

Exactly what information we have depends on when and where your course was:

  • If your course was more than 10 years ago: to find out if we do have a record of your course in our archive, and to obtain a copy of your record, please contact Dylan Carroll, Head of Legacy Giving, at dylan.carroll@outwardbound.org.uk.
  • If your course was less than 10 years ago: see section 4 below if you want to know what personal data we hold and obtain a copy.

1.5 If you are a donor, or a prospective donor

If you have donated to us, or if we consider you to be a prospective donor, the personal data we hold on you may include:

  • your name and contact details
  • your preferences on how to contact you
  • your history of donations to us
  • invoicing or Request for Donation information
  • your job title and other information about the company you work for
  • general information about your interests and business activities
  • records of events you have attended with us
  • your history of support for us
  • records of your written communications with us.

We usually gather or generate this information in the course of setting up or fulfilling your donation agreement with us. If you are not yet one of our donors, we might have obtained some information from publicly available sources through our prospect research. This information is used in line with our legitimate interest as a charity reliant on fundraising. You always have the option to opt out of any messages we send you, and you can request at any time that we stop processing your data or delete it. See Section 4 of this Privacy Statement to find out how to do that.

We are registered with the Fundraising Regulator and comply with the Fundraising Code of Practice.

1.6 If you are a customer

If you have booked a course with us, we will usually hold the following information about you in order to fulfil our contract with you and to manage your relationship with us:

  • your name and contact details
  • your job title and other information about your place of work
  • your preferences on how to contact you
  • your history of bookings with us
  • invoicing information
  • records of your written communications with us.

We gather this personal information directly from you during the booking process and throughout the course of your relationship with us.

During or after the course you booked, we may also collect:

  • your responses to any impact evaluation or feedback opportunities.

This information is used to help us keep improving our courses and the way we work with you and other customers, or to evaluate and report on the impact of our work - in which case it is usually anonymised. We will always ask your permission if we want to use your name in any of our evaluation reports or marketing material. Evaluation and feedback is done in line with our legitimate interest as a charity.

1.7 If you are not yet one of our customers

We might have found basic information about you, including contact details, from publicly available sources. We use this to help us to get in touch with you. This is in line with our legitimate interest as a charity.

You might also have directly given us your information when you completed one of our forms, attended a course with us, or got in touch with us some other way.

1.8 Marketing and fundraising communications

If you have opted in, or if you have previously booked a course, donated to us, or attended an event with us, then from time to time, we may tell you about news, events, activities or offers which we think may be of interest to you. You can opt out of receiving these messages whenever you like.

We limit the number of marketing and fundraising messages that we send, and we use profiling and segmentation to make sure that you only get messages that we think are likely to be relevant to you.

If you do not wish to receive marketing or fundraising messages by post, phone, text or email, you can notify us to change any of your preferences at any time using the contact details in section 5 of this policy. Emails of this type that we send have unsubscribe links at the bottom to make it easy for you to opt out of receiving them.

2. How we look after your personal data

We protect your personal data and will never sell it to anyone.

We hold and process your personal data on The Outward Bound Trust’s computer and paper systems. We use our supplier’s systems for certain tasks. We continually improve our processes and systems. We consider data protection by default and by design.

2.1 Security

We take the security of your data seriously. We use internal and third-party audits and certification programmes to test and improve the security of our systems. We have Clean Screen and Clean Desk policies and encrypt all data held on phones and computers. Our staff undergo DBS checks and have data protection training before handling personal data. Access to personal data is limited to those people who require it for their roles, and logins are secured with multi-factor authentication. Medical data and other sensitive data gathered through the Participant Information Form is subject to additional access and retention controls and cannot be exported from the system.

Sensitive data including data from the Participant Information Form is only stored and processed within the UK.

2.2 Suppliers

We use carefully chosen suppliers to help us with certain tasks. These include processing personal data for managing bookings, administering courses, taking payments and communicating with you. We use Data Processing Agreements and other contractual arrangements to ensure your data is only processed on our instructions, in line with the law. We monitor the performance of our suppliers to ensure that our standards are maintained.

2.2.1 Overseas data transfers

Some non-sensitive data processed by our suppliers might be electronically transferred to and processed at locations outside the UK or the European Economic Area (“EEA”). In these cases, we use binding contractual arrangements to ensure that your data is protected. These might include where appropriate Standard Contractual Clauses or UK International Data Transfer Agreements.

3. Changes to this statement

We make changes to this Privacy Statement from time to time as part of our commitment to continual improvement. The latest approved version of this policy will always be available on our website.

If we make any significant changes in the purposes that we use your personal data for, we will make this clear on our website or contact you directly.

Since the previous version (6.0):

  • We have described the relationship between The Outward Bound Trust and Outward Bound Corporate Ltd and made it clear that this policy applies to both.
  • We have clarified the type of data that we use for statistical analysis for impact evaluation, improvement and reporting purposes and the basis for this processing.
  • We have described situations where we might share anonymised data with partner organisations.
  • We have added information on when employee ambassadors might need to share their data with us for DBS checks.
  • We have made it clear that sensitive personal data is only stored and processed within the UK.
  • There are various minor changes for clarity or ease of reading.

4. Your data rights

You have the following rights relating to your personal data. If you want to exercise any of your data rights, just get in touch with us using the details in Section 5 below. To keep your data safe we may need to check that you are who you say you are.

  • The rights to know what data we hold about you, what we use it for, and to request a copy of personal information held about you

We will provide this information within one month. It will help us if you can be specific about the types of data you would like a copy of.

  • The right to request that any inaccuracies be corrected

We will usually be able to do this immediately, although in some circumstances it might take us up to one month to complete your request.

  • The rights to request us to stop processing your personal data and to request us to delete your personal data

There might sometimes be good reasons why we need to keep some data, even if you have asked us to delete it. For example, if you have asked us not to send emails to you, we will need to keep your email address to check against so that we don’t accidentally send you emails in future.

  • The right to complain to the Information Commissioner’s Office or the Fundraising Regulator

You can do this at any time. The Information Commissioner’s Office can be found at ico.org.uk and the Fundraising Regulator can be found at fundraisingregulator.org.uk

5. Contact Us

Please get in touch if you have any questions about this policy, would like us to stop sending you messages or using your data, or if you would like to exercise any of your personal data rights.

Telephone: 01931 740 000

Email: enquiries@outwardbound.org.uk

Address: The Outward Bound Trust, Hackthorpe Hall, Hackthorpe, Penrith, Cumbria, CA10 2HX.

5.1 Data Protection Officer

Our Data Protection Officer is John Chivall, Quality and Compliance Manager.

Email: john.chivall@outwardbound.org.uk