Privacy notice

We really value the support we receive from the public; our members, partners and stakeholders and we take your personal data privacy seriously. We are fully committed to compliance with applicable data protection laws and we keep up-to-date with legislation changes.

In processing child sexual abuse material for the fulfilment of our remit and to the extent that this is personal data, we are doing so for reasons of substantial public interest as a relevant self-regulatory authority which is recognised within the Memorandum of Understanding between the Crown Prosecution Service (CPS) and National Police Chief’s Council (NPCC). Further information can be provided on request.

We are an ISO27001 accredited organisation which means our information security management system has been independently verified as meeting the high standards expected of ISO27001 certification. You can therefore be assured of the seriousness with which we take the security of your data.

We will keep your personal data secure and confidential and will only use it for the purposes intended. At no time will we sell your personal data.

We may disclose your personal information to third parties if we are legally obliged to; or in order to enforce or apply our terms of use for our website or other agreements; or to protect the rights, property or safety of the IWF, our donors or others.

Where we provide links to other websites that are not owned or managed by the IWF we cannot be held responsible for the privacy of data collected by those sites. You should consult each website’s respective Privacy Notice or policy if you have any concerns or would like further information.

Our website is currently managed by Studio24 who are contractually bound to keep any personal data processed on our behalf via the website secure. You can find out more information about Studio24 on their website here.

We use Google Analytics to interpret our website’s traffic to ensure it is working in the best way possible and to allow us to continually improve the experience for users.

Any information gathered for this purpose is for internal use only and contains no personal information. The Internet Protocol (IP) address of the computer or other device you use to access the website is used to gather anonymised statistical data. It is not retained with a view to identifying you personally by either ourselves or Google Analytics. We have a legitimate interest in monitoring the use of our website which is for the purpose of continual improvement.

You do however have the option to prevent Google Analytics from using your data. For more information on this please visit - https://tools.google.com/dlpage/gaoptout/.

For more information generally on how Google uses your data please visit - http://www.google.com/policies/privacy/partners/

Cookie Policy

What are Cookies and how do we use them?

A cookie is a small text file that is sent to your computer's hard drive when you visit a website. A cookie typically contains the name of the website from which it has come, the lifespan of the cookie and a value. The value is usually a unique code that will only make sense to the website that has issued it. Cookies can also be used to measure how people use websites and what kind of browsers or devices they're using.

You can set your web browser to accept or reject cookies or tell you when a cookie is being sent. You can also delete cookies from your computer.

The AboutCookies.org website tells you how to control and delete cookies on most browsers.

How to control Cookies (AboutCookies.org, external website)

How to delete Cookies (AboutCookies.org, external website)

Website cookies

When you visit our website, you'll see this notice 'IWF uses Cookies to ensure we give you the best experience on our website' and a 'Find out more about Cookies' link to this Privacy Notice. As above, you have the right to accept or reject those cookies.

We do not use Cookies to collect your personal data nor to subsequently pass that information to third parties without your permission. The following cookies are currently used on our website:

Cookie	Description	Duration	Type
GPS	This cookie is set by YouTube and registers a unique ID for tracking users based on their geographical location.	30 minutes	Analytics
VISITOR_INFO1_LIVE	This cookie is set by YouTube. Used to track the information of the embedded YouTube videos on a website.	5 months	Advertisement
YSC	This cookies is set by YouTube and is used to track the views of embedded videos.		Performance
MUID	Used by Microsoft as a unique identifier. The cookie is set by embedded Microsoft scripts. The purpose of this cookie is to synchronize the ID across many different Microsoft domains to enable user tracking.	1 year	Advertisement
_uetsid	null	30 minutes	Other
_ga	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.	2 years	Analytics
_gid	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form.	1 day	Analytics
_gat_UA-6726767-1	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.	1 minute	Performance
li_sugr	null	2 months	Other
lang	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time the user visits the website.		Functional
lidc	This cookie is set by LinkedIn and used for routing.	1 day	Functional
UserMatchHistory	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.	4 weeks	Other
IDE	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.	1 year	Advertisement
bcookie	This cookie is set by LinkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.	2 years	Functional
bscookie	This cookie is a browser ID cookie set by LinkedIn share Buttons and ad tags.	2 years	Advertisement
lissc	null	1 year	Other

Contacting us

Complaints

We provide two avenues for complaints – one related to general complaints, and one specifically with respect to content assessment appeals. Explanations of both are contained within the website at the Complaints page - https://www.iwf.org.uk/complaints.

With any complaint, the personal data provided by the complainant will be retained until such time as the complaint has been investigated and concluded – it will then be anonymised after 90 days. Be aware that if the same complainant sends a separate complaint subsequently, the 90 days begins again.

Again, unless legally obliged to do so, this personal information will not be shared with third parties without the express written permission of the complainant.

Feedback form

If you have any comments regarding our website, we provide a feedback form for this purpose. The details requested allow us to respond to you appropriately. We will not retain your personal data for longer than is necessary. We may retain the contents of the feedback to aid in the improvement of our website, however personal data will be anonymised.

Contact form

You can use our general contact form in which we request your name, an email address and a reason for your enquiry so that we can best direct it to the right recipient. As per our management of the feedback form, your details will not be retained for longer than is necessary to provide you with an appropriate response and will be subsequently anonymised or disposed of.

We understand how distressing it can be to stumble across potentially illegal child sexual abuse material and are therefore extremely grateful for the reports we receive that help us in our work. We do recognise that reporters can be concerned about doing this.

You can remain completely anonymous when reporting something you’ve stumbled across online.

If you’d like to know what happened with your report however, then the minimum we need is your name and an email address so that we can send you a confirmation email with a unique reference number. You may also supply an organisation name if reporting on behalf of your company. By providing your contact details to us, you consent to us storing them for this purpose. Note you will be directed to this Privacy Notice before progressing to the submission of your report where you do so non-anonymously.

If you do indeed choose to provide your details, they will be recorded in our reporting system for 90 days to allow for that communication. They will then be automatically deleted after those 90 days. Please be aware that if you report more than once with the same details, each instance of reporting starts that 3-month retention period again. Therefore, if you do not wish for your details to be retained for that period following each report you may prefer to go back a step and report anonymously.

Be assured, your personal details would not be disclosed to third parties without your express written permission. However, in rare circumstances it may be necessary or advisable for us to disclose your details to the police or other international law enforcement agencies in order to assist them with enquiries they are pursuing or where not to do so would pose a potentially immediate risk of serious harm to a child or other person(s). In such cases we regard the disclosure to be either in the public interest, or as a legitimate interest for the purpose of preventing the spread of child sexual abuse material.

Reports received via our International Portals come directly into our UK-based reporting system. At no time are reports (nor reporter details) viewed or accessed by any persons outside of the UK.

Members

If your organisation chooses to join our Membership, our Development team will be in touch to explain the details they’ll need from you that will be used to communicate with you in the delivery of your chosen services. Key to this for example will be the contact details (names, work numbers and work email addresses) of your designated team members so that we can successfully work together.

In processing Member applications, we utilise Survey Monkey to collect relevant business information (see their privacy page for further information - https://www.surveymonkey.com/mp/policy/privacy-policy/ and we also use AdobeSign for the processing of subsequent contracts.

More information on AdobeSign can be found on their website here - https://www.adobe.com/uk/legal/terms.html

In processing this information with a view to forming a business relationship we’re initially processing the data with a legitimate interest.

We work with a number of organisations in this way to forge successful business partnerships. In working with any third parties we ensure robust due diligence is carried out, and formal arrangements are in place to ensure the security and confidentiality of any personal data that may be processed in working with them.

If you require further information, you can contact our Development team.

Partnerships

We work in partnership with a number of highly regarded, prestigious and varied organisations across the world to help us in our mission to eliminate child sexual abuse imagery online. Examples of the types of organisations we work with include; other NGOs, the internet industry, INHOPE – the International Associate of Internet Hotlines, Government and law enforcement agencies around the world.

These partnerships come in many forms and are managed through a combination of formal agreements, legal contracts, initiatives and collaborations. Be assured that where personal data (including that of our staff or any contractor(s) working on our behalf) is processed in order to carry out any such partnership, it is done so securely and within the confines of the law. Further information on our partnerships can be found within our website.

In working with organisations around the world we need to be sure data is not transferred outside the European Economic Area without appropriate controls being in place. In such a circumstance, we ensure relevant standard contractual clauses are in place and/or EU-US and Swiss-US Privacy Shield framework compliance or data adequacy status by the EU.

NSPCC/ Childline

We have an active partnership with the NSPCC and support the ‘Report Remove’ initiative. When a report comes through to us via Report Remove we know that where necessary, age confirmation has happened and we can work as swiftly as possible to get the self-reported images or videos of children removed from the internet. For more information on Report Remove visit Childline here. The IWF does not have active engagement with the child in this process, nor do we process their personal data in assessing the content.

The UK Safer Internet Centre

The UK Safer Internet Centre is a partnership between the IWF, South West Grid for Learning (SWGfL) and Childnet. We provide a range of activities to promote the safe and responsible use of technology to children. The UK Safer Internet Centre has a dedicated website which is coordinated by the lead partner – SWGfL and you can find an updated Privacy Policy on that website. You can find out more about the partnership here.

INHOPE

We are a founder member of INHOPE, the International Association of Internet Hotlines. INHOPE brings together 46 hotlines worldwide. Within this membership we exchange information and experience. We utilise the ICCAM platform which enables efficient and secure processing of illegal content between hotlines. Further information about INHOPE can be found here and their Privacy Policy can be found on their website.

For more information regarding our partnerships, do explore our website which has detailed pages on the various collaborations and partnerships we’re involved in.

We want to be sure that where we communicate directly with any of our stakeholders we do so with their full and clear consent. We will always aim to be transparent about why we’re contacting and the ways in which people can end that contact if they choose to. Our primary means of communicating to our interested parties and stakeholders is via regular newsletters and our social media feeds.

Newsletters

If you wish to receive our general newsletter you can subscribe at the bottom of our website’s homepage. This will require a name and email address and you will also be required to verify your email address before you’ll be added as a recipient. You can ask to be removed from this mailing list at any time via [email protected] or [email protected] and this will be expeditiously actioned.

As newsletter recipients choose to receive this information, our lawful basis for processing personal data in this instance is consent.

Our Members, International Partners and IWF Champions are also offered a tailored newsletter which they can also subscribe to, or unsubscribe from, at any time.

Social Media

We regularly post articles and news that we feel could be of interest via our social media feeds such as Facebook, Twitter, LinkedIn and YouTube. It is the responsibility of users of those sites to maintain their own personal privacy settings however, we would not share any post that uniquely identifies someone without their permission. As the controller of our social media sites we reserve the right to have abusive or offensive content by users blocked or removed and will report any such behaviour to the social network at hand.

Applications

If you choose to apply for a role with the IWF you will be asked to complete a standardised application form – we do not receive CVs or other formats of application.

Within that application form you will be asked for your name and contact details. We will also ask for your prior experience, your education, referees and we'll ask you to answer specific questions regarding the role you're applying for. This information will be accessible to our recruitment team only at this stage.

We also ask you to provide equal opportunities information by way of a separate standardised form. You do not have to complete it if you do not wish to – it will not affect your application if you choose not to. The information recorded will not be made available to anyone outside of our recruitment team. Any information provided on that form is for the production and monitoring of anonymised equal opportunity statistics.

You may also be asked to complete a self-disclosure form in relation to cautions, convictions, court marshals or pending court action or police investigations. Again, this information will be treated confidentially and disposed of appropriately.

Shortlisting and interviews

The relevant hiring Manager(s) will shortlist candidates for interview based on the requirements of the role advertised. The Business Officer will be in touch with applicants to make arrangements for any interviews and to discuss the format that these may take.

Transparency regarding Hotline roles

Roles that require access to the Hotline include an additional ‘personal interview’ with a counsellor and the COO, and a subsequent controlled image viewing session with the Hotline Manager and COO. These additional welfare measures are in place to assess the resilience of candidates and allows them time to reflect on whether the role is something they can undertake.

The welfare of our staff is of paramount importance to us and those that have Hotline access have monthly counselling and an annual psychological assessment to support them in carrying out these roles.

Offer stage

Employment offers are subject to the following:

• Provision of evidence of entitlement to work in the UK;
• Reference checks;
• Completion of a pre-medical questionnaire (see below);
• Completion of an Enhanced DBS check.

Pre-medical questionnaire

Heales Medical provide our Occupational Health service. If we make you a conditional offer, we will ask that you complete a questionnaire which will help to determine if you are fit to undertake the work that you have been offered, or advise us if any adjustments are needed to the work environment or systems so that you may work effectively.

They will contact you directly with the questionnaire which will take you to their website. The information you provide will be processed by Heales Medical who will provide us with a 'fit to work certificate' or a report with recommendations. You are able to request to see the report before it is sent to us.
Once the above has been satisfactorily completed an employment contract can be issued.

Our lawful basis for processing the personal data involved in recruitment is for the purpose of entering into a contract.

Applicants can withdraw their application at any time and their information will be appropriately and securely disposed of in that case.

Retention of personal data

Personal information from unsuccessful candidates will be retained for a maximum of six months following closure of the job posting in case of queries after which time it will be appropriately and securely disposed of.

We retain personal data with respect to our current employees to allow us to fulfil our requirements of their employment contract and relevant legal obligations. We also utilise the DBS update service to ensure the enhanced disclosure and barring service checks remain up to date for all employees – a condition of their contract.

We retain data with respect to former employees for a period of six years following the end of their contract in case of reference requests. This information will subsequently be appropriately and securely disposed of.

Further information for staff regarding the processing of their personal data can be found in the internal Staff Handbook.

FUNDRAISING

In order to meet our charitable objectives, we carry out fundraising activities to raise public awareness and to garner financial support for the important work we do. We do so in line with our Fundraising Policy.

We are a registered member of the Fundraising Regulator and are committed to abiding by the Code of Practice - the fundamentals principles of which are to act legally, be open, be honest and to be respectful. Responsible and lawful personal data processing is also a critical mandate of the code.

In planning any fundraising activities or events we need to consider the ‘lawful basis’ – the reason, for processing any personal data to ensure we do so in accordance with GDPR and the Data Protection Act 2018.

The lawful bases under GDPR:

Consent – you’ve explicitly consented to your personal data being processed for a specific purpose.

Performance of a contract – a contract is in place with an individual/organisation and certain legal terms and conditions apply.

To comply with a legal obligation – we may be subject to a legal obligation to process certain personal information.

To protect vital interests – if there is an immediate risk to someone’s health, we may need to process their personal data.

Performance of a task carried out in the public interest – much of our core work is carried out for this reason as it is in the public interest to eliminate child sexual abuse material from the internet.

Legitimate interests – much of our fundraising activity as a whole will fall under this reason. i.e. processing certain personal data supports the core activities that we perform as a charity.

We manage your personal data within a secure Client Records Management (CRM) system which enables us to maintain accurate records. This system, as with the rest of information technology infrastructure, forms part of our ISO27001 Standard Information Security Management System (ISMS).

Note that victim identification is not within our remit. Where we use any case studies or ‘stories’ for our marketing or fundraising activities, the information therein has been adjusted and anonymised to protect the victims we see online. Any use of partner case studies – such as those of the Marie Collins Foundation will have been authorised and the individual’s consent sought before any such sharing or subsequent publication by us.

DONATIONS

We utilise Stripe for credit/debit card processing of online donations and the website widget is via Donorbox. The IWF does not have access to credit / debit card information or bank details in this transaction. Online donations are processed in accordance with the Payment Card Industry Data Security Standards (PCI-DSS).

Donorbox facilitates a regular payment option and more information can be found via their website.

We do not publish donor details without their express written permission.

We like to claim Gift Aid on your donations where it is permissible for us to do so. You can find out more about this on our donations page.

Any donation cheques sent directly to us are forwarded as quickly as possible to our bank for processing. We will always want to acknowledge receipt and thank anyone who chooses to aid our mission in this way. Where a donor has supplied contact details, we will endeavour to reach out to them to thank them for their generosity which we constitute being a legitimate interest. We will not subsequently retain their personal data, unless they choose to subscribe to our newsletter or to receive other relevant updates about the organisation.

We promote the use of Amazon Smile, Give as you Live and Charity Challenge on our donations page to further support our fundraising efforts. If you choose to utilise any of these links for the purposes of supporting us, any personal data processed will be done so by those companies as the data controller.

At the present time we do not accept cash donations.

If you wish to exercise any of your rights under GDPR to make a formal Data Subject Access Request (DSAR) please write to us at [email protected].

Your rights

• Access to your personal information;
• Objection to processing of your personal information;
• Objection to automated decision-making and profiling (Note: the only activity we do that we consider involves 'automated decision-making' is our collection of Cookies that can be either consented to or not depending on your preference. We do not do any 'profiling');
• Restriction of processing of your personal information;
• Your personal data portability;
• Rectification of your personal information; and
• Erasure of your personal information.

If you make a request relating to any of the rights listed above, we will consider each request in accordance with all applicable data protection laws and regulations and respond in the first instance within one month of receipt.

No administration fee will be charged for considering and / or complying with such a request unless the request is deemed to be excessive in nature. If a complex request is received, we may need to extend the period to a further two months in order to respond appropriately. We will inform you of the reasoning behind any extension.

Upon successful verification of your identity you are entitled to obtain the following information about your own personal information:

• The purposes of the collection, processing, use and storage of your personal data.
• The source(s) of the personal information, if it was not obtained from you.
• The categories of personal data stored about you.
• The recipients or categories of recipients to whom your personal data has been or may be transmitted, along with the location of those recipients.
• The envisaged period of storage for your personal data or the rationale for determining the storage period.

You can make the above request by emailing [email protected] or by writing to:

Data Protection Officer
The Internet Watch Foundation
Discovery House
Vision Park
Chivers Way
Histon
Cambridge
CB24 9ZR

Please be aware that during the Covid-19 pandemic there is a reduced workforce in our office therefore online contact is recommended to ensure a swift response to your query.

We want to be sure that your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate.

You have the right to lodge a complaint directly with the Information Commissioner's Office (ICO) if you believe your data has not been processed by the IWF in the stated way, or in accordance with GDPR.

You can contact them on their helpline– 0303 123 1113 or via their website – www.ico.org.uk.

Personal data breaches

We take any suggestion of a personal data breach seriously and will fully investigate it. As per the requirements of GDPR, we will alert the ICO within 72 hours if we believe a breach has occurred, and depending on the circumstances, also contact those who may be impacted.

You can learn more about the obligations of organisations regarding personal data breaches on the ICO’s website here.

Where we feel it necessary in the event of a breach, we may employ an independent consultant or advisor to investigate the matter on our behalf.

We reserve the right to make changes to this Privacy Notice. Each time you visit our website we would encourage you to check that no changes have been made to any sections that are important to you. This notice was last updated in September 2020.