Privacy statement


The Richard Reeve's Foundation (RRF) is committed to protecting and respecting your privacy. For the purpose of the General Data Protection Regulations (the GDPR), and any subsequent UK legislation covering data protection, the Data Controller is RRF. This is because RRF dictates the purposes for which your personal information is used.

This policy sets out why RRF collects any personal information about you and how we use that personal information. It explains the legal basis for this and the rights you have over the way your information is used.

In this policy, where the words 'personal information' are used these words describe information that is about an individual and which identifies that person (e.g. their name, postal address, email address). Personal information is protected by law and below is a summary of the personal information that RRF collects, stores and uses in the course of its relationship with you.

This policy applies to RRF's:

  • governors

  • staff (as well as their next of kin and, where appropriate, partners and dependents)

  • grant applicants and awardees

  • pupils whose applications for an RRF sponsored place at Christ's Hospital School (the School Scheme) RRF receives from Christ's Hospital School (the School Applicants), the School Applicants who RRF selects to sponsor at Christ's Hospital School (the Presentees), and the parents of School Applicants and Presentees

  • professional advisors

  • consultants

  • suppliers and other individuals with whom RRF has a legitimate business interest

Data Protection Principles

We will comply with data protection law and principles when collecting and using your personal information, which means that your personal data shall be:

  • processed fairly, lawfully and in a transparent manner, and processing shall not be lawful unless one of the processing conditions can be met

  • collected for specific, explicit, and legitimate purposes, and shall not be further processed in a manner incompatible with those purposes

  • adequate, relevant, and limited to what is necessary for the purpose(s) for which it is being processed

  • accurate and, where necessary, kept up to date

  • processed for any purpose(s) shall not be kept for longer than is necessary for that purpose/those purposes

  • processed in such a way that ensures appropriate security of the data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures

What type of personal information we collect

The type and amount of information we collect depends on why you are providing it.

Grants (to individuals)

The Foundation does not currently make grants directly to individuals, only indirectly through certain institutions (see below).

Block Grants (to institutions)

RRF may choose to award a block grant to City, University of London and City & Islington College and any other institutions it may choose in the future, in order to assist those students who are in financial need and meet various eligibility criteria (the Block Grant).

In the event that RRF decides to award a Block Grant, at the end of the academic year RRF may process the following personal information it has received from the institution with respect to individual beneficiaries of the Block Grant:

  • age

  • gender

  • purpose for which the grant is used by grant awardee (including financial breakdown of grant expenditure)

We do not collect personal information of potential beneficiaries when assessing grant applications from any other organisation/institution. However, RRF may require permission from organisations/institutions seeking a grant to use grant beneficiaries' photographs and (anonymised) beneficiaries' grant reports as part of RRF's grant evaluation and monitoring process, as well as to form case studies to promote RRF's grants. We would apply to the organisation for the individual's consent in such cases.

Christ's Hospital School – School Applicants

When assessing the eligibility of School Applicants, RRF will receive and process personal information about School Applicants and their parents, including their:

  • names

  • personal photograph

  • personal contact details

  • present school and general educational information

  • information relating to home, social, domestic and financial circumstances and background

  • personal opinions of applicants

  • main hobbies/interests/skills

  • reason for application

RRF may also receive certain sensitive personal information about School Applicants and their parents. For further information, please see below.

Christ's Hospital School - Presentees

RRF will process personal information relating to the progress of Presentees (including academic and personal progress).


If you apply to become or are a governor of RRF then we will ask you to provide personal information including your name, age, gender, personal contact details, professional qualifications and referee details.

RRF may also receive certain sensitive personal information about you. For further information, please see below.


If you have applied to join the staff of RRF, you will be asked for personal information including your name, postal address, email address, telephone number, employment history, qualifications, and education.

If you are successful in your application to join the staff at RRF, you will be asked for, and RRF will collect, additional personal information including bank details, references, remuneration details, qualification and absence information.

RRF may also collect personal data of the next of kin and dependents of current employees, including names, telephone numbers and email addresses.

Other individuals

As part of RRF's charitable activities, RRF may collect and use the personal data of individuals from third party organisations with whom it has a business relationship, namely professional advisors, consultants, suppliers and other individuals with whom RRF has a legitimate business interest. This information will be limited to the individual's name, email address and telephone number.

Sensitive Personal Information

We may also collect, store and use the following types of more sensitive personal information in relation to School Applicants (and their parents), as well as governors:

  • Information about individuals' race or ethnicity

  • Information about individuals' mental or physical health, including any medical condition, health and sickness records

RRF collects and uses this information for equal opportunities purposes and to administer the School Scheme and grants.

RRF will obtain explicit consent from an individual before it processes this type of personal information or rely on the equal opportunities legal basis to process this personal information.

Where we collect personal information from

We may collect information from you:

  • When you give it to us directly, including where you:

    • Contact us in any way (including by phone, email, letter or otherwise) and in the course of your communications with RRF

    • Provide us with information about your marketing preferences

    • Apply (or accept) to be a member of staff or a governor

    • Where you have an agreement or contract in place with us

  • When you have given other organisations or individuals permission to share your personal information with RRF. E.g. organisations applying for grants on behalf of beneficiaries; School Applicant applications and Presentee reports received from Christ's Hospital School; referees named on application forms

  • Through cookies when you use RRF's website. Please see below for more information about RRF's use of cookies

Please be aware that where personal information is provided by an individual/organisation to RRF which relates to a third party, the individual/organisation who has provided that information (e.g. a grant organisation; Christ's Hospital School) confirms that it has the consent of the third party (e.g. a grant beneficiary; School Applicant, Presentee or parent; a referee) to share such personal information with RRF and that the individual has made the information in this policy available to the third party.

How we use your information

We can only use your personal data if we have a proper reason for doing so. For example:

  • where you have given your consent

  • to comply with our legal and regulatory obligations

  • for or in the performance of our contract with you or to take steps at your request before entering into a contract

  • for our legitimate interests or those of a third party (so long as this is not overridden by your own rights and interests)

We can also use your personal information in the following situations, but these are likely to be rare:

  • Where we need to protect your interests (or someone else's interests)

  • Where it is needed in the public interest

The table below explains what we use your personal data for and our lawful reasons for doing so.


Legal Basis

To communicate with you

This is in RRF's legitimate interests in order to sustain and grow its charitable grant-making, employment and funding relationships; to process applications and further RRF's aims, objectives and activities

To improve and sustain relationships between RRF and its partner organisations that benefit from its activities

This is in RRF's legitimate interests in order to further RRF's aims, objectives and activities

To manage RRF's activities, including processing, administering, assessing, monitoring and supporting its grants and the School Scheme

This is in RRF's legitimate interests in order to administer and deliver its grants and the School Scheme and to further its aims, objectives and activities. RRF may need to fulfil its contractual obligations

To illustrate the impact of RRF's activities and promote its achievements and range of projects (e.g. on the RRF website)

This is in RRF's legitimate interests in order to assess and promote its activities. RRF may also rely on individual consent in order to publicise any details of grants

To make payments to individuals (e.g. staff, grant awardees)

This is in RRF's legitimate interests in order to carry out its activities, and fulfil any contractual obligations

To comply with any legal or regulatory obligations (including in connection with a court order)

This is to comply with RRF's legal and/or regulatory obligations

To report to statutory authorities such as the Charity Commission and Companies House on the identity of RRF's governors

This is to comply with RRF's legal and/or regulatory obligations

To recruit staff and appoint governors

This is in RRF's legitimate interests in order to further its aims, objectives and activities

To perform contracts we have entered into in relation to the grants and the School Scheme

This is to fulfil our contractual obligations

To administer and maintain HR records including but not limited to paying salaries and other remuneration, providing and administering benefits, maintaining sickness records and undertaking appraisals


This is to comply with RRF's legal obligations as a responsible employer

To carry out equal opportunities mentoring

This is to promote or maintain equality within RRF

RRF will not make any decisions about you using automated means.

How we keep your information safe

We are committed to ensuring all personal information RRF holds about you is handled correctly and appropriately according to the nature of the information, the risk associated with mishandling that information (including the damage that could be caused to an individual as a result of loss, corruption and/or accidental disclosure of any such information) and in accordance with any applicable legal requirements.

In order to prevent unauthorised access or disclosure we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect. All data we collect electronically is securely backed up and hosted within the UK. RRF does not transfer personal data outside of the EEA.

RRF undertakes regular security and risk reviews and monitors all the controls that it has in place to ensure the security, accuracy and integrity of the personal information it holds.

We always ensure only authorised persons have access to your information and that everyone who has access is appropriately trained to manage your information.

However, no data transmission over the internet can be guaranteed to be 100% secure. So whilst we strive to safeguard your information, we cannot guarantee the security of any information you provide online and you do this at your own risk.

RRF's website

The information generated about you during your use of RRF’s website can be used to create reports about the use of our website. Details captured during your visit could include, but are not limited to, the pages you visit, how long you spend on each page, how you got to the site (e.g. via a search engine) and what you click on while you’re visiting the site. All data collected is anonymous and aggregated and will not identify you as an individual.

Our website may contain links to other websites of interest. You should be aware that we do not have any control over the content or security of external sites and therefore we cannot be held responsible for the protection and privacy of any information which you provide whilst visiting these sites. You should exercise caution when disclosing personal information on any website and should read the website’s privacy statement to understand how your personal data will be used.

We have Google Analytics on our website but are not currently using the data collected to monitor visitor activity or to make changes to the website to improve functionality.

RRF's use of cookies

Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site.

Cookies are small pieces of information sent by a web server to a web browser, which enable the server to collect information from the browser. They are stored on your hard drive to allow our website to recognise you when you visit.

Please read our cookies policy here:

How long we keep your information for

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purpose of satisfying any legal, accounting or reporting requirements. Details of retention periods for different aspects of your personal information can be found in our retention policy which is available here: D:\RRF Charity\Legal & Compliance\Data Protection\GDPR\Final Drafts

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Disclosure of Personal Data

The following list includes the most common third parties to whom and reasons for which RRF will authorise disclosure of personal data:

  • third parties who provide services for us. We provide these third parties with the information that is necessary for them to provide their services. We ensure we have agreements in place that require them to operate with the same care over your personal information and their data protection obligations as we do. Our third-party data processors include:

    • IT Rescue, for the provision of IT Helpdesk and technical support and advice

    • Denise Barrows Consultancy, for consultancy and support for the development and implementation of RRF’s Progression into Work grants programme

    • Sage, for the provision of technical support for payroll

    • Buzzacott LLP Chartered Accountants, for the provision of accountancy services

  • our professional advisors (including accountants and lawyers) that assist RRF in carrying out its activities in accordance with its legal and accounting obligations

  • external agencies and organisations (including the police, the relevant local authority and other law enforcement agencies) for the purpose of complying with applicable legal and regulatory obligations

  • for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings)

  • for research, historical and statistical purposes

  • to give a confidential reference relating to a current or former employee

In addition, RRF may be required to disclosure your personal information:

  • if RRF is under a duty to disclose or share such personal information in order to comply with any legal obligation, to investigate fraud, credit risk reduction purposes or it is in the public interest

  • if RRF or substantially all of RRF's assets are acquired by a third party, personal information held by RRF will be one of the transferred assets

  • in the event that RRF sells or buy any business or assets, RRF will disclose such personal information to the prospective seller or buyer of such business or assets

  • in other situations where RRF has the consent of the individual to do so

Other than the above, we will not share your information with other organisations without your consent.

Your rights under data protection law

Under the GDPR, individuals have certain rights with respect to their personal information. These rights will only apply in certain circumstances and are subject to certain exemptions.

The table below sets out a summary of rights and who should be contacted at RRF if an individual wishes to exercise them. Once an individual has sent a request to exercise their rights, RRF's policy is to respond with 5 working days' of receipt of the request.


Summary of rights

Who to contact

Right of access to personal information

Individuals have the right to receive a copy of the personal information that RRF holds about them, subject to certain exemptions (as set out below)

Clerk to the Governors This email address is being protected from spambots. You need JavaScript enabled to view it.

Right to rectify personal information

Individuals have the right to ask RRF to correct the personal information that RRF holds where it is incorrect or incomplete without undue delay

Right to erasure of personal information

Individuals have the right to ask that their personal information be deleted in certain circumstances. For example:

  • where the personal information is no longer necessary in relation to the purposes for which they were collected or otherwise used;

  • if the individual withdraws their consent and there is no other legal ground for which RRF relies on for the continued use of the individual's personal information;

  • if the individual objects to the use of their personal information (as set out below);

  • if RRF has used the individual's personal information unlawfully; or

  • if the personal information needs to be erased to comply with a legal obligation.

Right to restrict the use of personal information

Individuals have the right to suspend RRF's use of their personal information in certain circumstances. For example:

  • where the individual thinks that their personal information is inaccurate, and only for such period to enable RRF to verify the accuracy of the individual's personal information;

  • the use of the personal information is unlawful and the individual opposes the erasure of their personal information and request that its use is suspended instead;

  • RRF no longer needs the individual's personal information but the personal information is required for the establishment, exercise or defence of legal claims; or

  • the individual has objected to the use of their personal information and RRF is verifying whether its grounds for the use of that personal information override the individual's objection.

Right to data portability

Individuals have the right to obtain their personal information in a structured, commonly used and machine-readable format and for it to be transferred to another organisation where it is technically feasible.

The right only applies:

  • to personal information which you have provided to us;

  • where we rely on either of the following legal basis:

  • on their consent; or

  • for the performance of a contract; and

  • when the use of the personal information is carried out by automated (i.e. electronic) means. Please note that RRF does not make any decisions using automated processes.

Right to object to the use of personal information (including to object to direct marketing, automated decision making and profiling)

Individuals have the right to object to the use of their personal information in certain circumstances and subject to certain exemptions. For example:

  • on the grounds of pursuit of a public interest or legitimate interest where an individual does not believe that those grounds are made out;

  • if the individual objects to the use of their personal information for direct marketing purposes;

  • where we use your personal information to take a decision based solely on automated processing where that decision produces a legal effect or otherwise significantly affects you. Please note that RRF does not make any decisions using automated processes.

Right to withdraw consent

Individuals have the right to withdraw their consent to the processing of their personal data at any time where RRF relies on consent to use that personal information.

Right to complain to the relevant data protection authority

Individuals have the right to complain to the relevant data protection authority, which in the case of RRF is the Information Commissioner's Office (ICO), where the individual considers that RRF has not used their personal information in accordance with data protection law (as set out below).

Subject Access Requests

You have the right to ask us to provide you with a copy of your personal data. All requests should be sent to the Clerk to the Governors (This email address is being protected from spambots. You need JavaScript enabled to view it.). Once we have confirmed your identity, we will supply any information you ask as soon as possible but this may take up to one month. We will not charge you for this.

Contacting RRF

If you have any questions about this policy or concerning your personal information you can contact us at This email address is being protected from spambots. You need JavaScript enabled to view it..

Your duty to inform us of any changes to your personal information

Individuals should notify RRF (by email, telephone or in writing) if any personal information is incorrect or out of date.

Changes to this Policy

Where appropriate, RRF will communicate any future changes to this policy by email, letter, on the RRF website or other method of communication as RRF may consider appropriate. Where appropriate, the updated Policy will take effect as soon as it has been updated or as otherwise communicated to individuals.

This policy was last updated in July 2018.

How to complain

Individuals have the right to complain to the ICO if they consider that RRF has not used their personal information in accordance with data protection law.

The ICO can be contacted by writing to the Information Commissioner’s Officer at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF; by phoning their helpline on 0303 123 1113, or by visiting their website

More in this category: « Cookies Policy