Policies

PRIVACY STATEMENT

The David Gibbons Foundation and the Gibbons Family Trust (The Gibbons Trusts)

Last updated: 27 January 2026

This Privacy Policy is published on our website to explain, in clear and accessible terms, how we use personal data. It is intended for grant applicants, funded organisations and anyone who contacts or interacts with the Trust online.

This Privacy Policy explains how The Gibbons Trusts collects, uses, stores and protects personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

The Gibbbons Trusts, comprising the David Gibbons Foundation and the Gibbons Family Trust, are private, family grant-making charitable trusts (registered charities).  The Trusts were established to make grants in furtherance of the charitable objects specified by David and Vera Gibbons.

We do not fundraise from the public and do not deliver services directly. We process personal data only where it is necessary to administer our grant-making, manage trustee governance, and meet our legal and regulatory obligations, in line with Charity Commission guidance.

  1. Who We Are (Data Controller)

The Gibbons Trusts collectively are the data controller for personal data collected through this website and in connection with our grant-making activities. Day to day responsibility for data protection is by Cathy Houghton, Trusts Manager.  Simon Barnett, Trustee, is the Data Protection Officer.

Contact details:

Our postal address can be found on the Charity Commission website, however as we all work remotely our preferred method of contact is email.
Email: enquiries@gibbonstrusts.org

  1. Personal Data We Collect

We only collect personal data that is necessary for the proper administration of the Trust and to meet our charitable and legal obligations, in accordance with the Charity Commission’s guidance on trustee duties and accountability.

We may collect and process the following categories of personal data:

  1. a) Grant applicants and funded organisations
  • Names, roles and contact details of staff, trustees, volunteers or authorised representatives.  Personal details of individual beneficiaries such as references or medical information can also be collected and retained to help with fully informed grant-making decisions.
  • Information provided in grant applications, supporting documents, reports and correspondence
  • Bank account details and payment information (for the purpose of paying grants)
  • Monitoring and evaluation information relevant to charitable purposes
  • Due diligence and risk management information, including safeguarding, governance and financial controls

Where special category personal data is provided (for example, health information included in references or safeguarding disclosures), it is processed only where necessary, handled confidentially, and subject to additional safeguards.

  1. b) Trustees and advisers
  • Names, contact details and biographical information
  • Declarations of interests and conflicts of interest
  • Meeting records and decision-making information
  • Expense claims and payment details
  1. c) Complainants and correspondents
  • Names and contact details
  • Details of enquiries, complaints or concerns raised in accordance with our Complaints Policy
  1. d) Website users
  • Limited technical information such as IP address, device type, browser information and pages visited
  • This information is collected using standard website analytics and is used only to help us understand how our website is used and to improve it.  Website analytics data is aggregated and used for statistical purposes only. We do not attempt to identify individual users, and analytics data is retained only for as long as necessary to understand website usage trends.

We do not routinely collect special category (sensitive) personal data. Where such data is provided, it is usually incidental and is only processed where necessary and lawful, for example in relation to safeguarding or equality information supplied voluntarily by applicants.

  1. How We Use Personal Data

As grant-making trusts, we use personal data only where it is necessary and proportionate to support responsible grant-making and good governance. We use personal data to:

  • Assess, administer and make decisions on grant applications
  • Carry out appropriate due diligence, risk assessment and safeguarding checks
  • Make and administer grant payments
  • Monitor and evaluate grants in line with our charitable objects
  • Manage trustee governance, decision-making and conflicts of interest
  • Respond to enquiries and complaints
  • Comply with our legal, regulatory and reporting obligations, including those of the Charity Commission
  1. Lawful Bases for Processing

Under UK GDPR, we rely on the following lawful bases when processing personal data:

  • Legitimate interests: to administer the Trust responsibly, make grants in furtherance of our charitable purposes, and ensure proper governance and accountability
  • Legal obligation: where processing is required to comply with charity law, financial regulations, accounting requirements or directions from regulators
  • Contract: where processing is necessary to make, administer or monitor a grant award
  • Consent: where we ask for optional information or where consent is required by law

Where special category data is processed, we rely on explicit consent or other lawful conditions permitted under UK GDPR, including safeguarding and prevention of harm.

  1. Data Sharing

As private Trusts registered as charities with the Charity Commission, we limit the sharing of personal data to what is necessary for proper administration and accountability. We may share personal data with:

  • Professional advisers (such as accountants, auditors or legal advisers)
  • Banks and payment service providers
  • Regulators, statutory bodies or law enforcement agencies where required by law
  • IT and system providers who support our administration under written agreements

All third parties are required to keep personal data secure and to process it only on our instructions.

We do not sell personal data, we do not share it for marketing purposes, and we do not use it for commercial gain.

 

  1. Data Security

We take appropriate technical and organisational measures to protect personal data against unauthorised access, loss or misuse. Access is limited to trustees and advisers who need the information to perform their role.

  1. Data Retention

We retain personal data for as long as necessary to meet our charitable, legal and regulatory obligations, in line with Charity Commission and HMRC requirements.

Typical retention periods include:

  • Grant application and decision records: kept indefinitely on our secure grants database
  • Financial and payment records: 7 years if in paper, indefinitely electronically
  • Trustee records (including declarations of interest): for the duration of trusteeship plus 6 years
  • Complaints records: up to 6 years

Personal data is securely deleted or anonymised when it is no longer required.

Certain records are retained indefinitely where this is necessary to maintain a permanent audit trail of charitable decision-making, demonstrate compliance with the Trusts’ governing documents, and respond to regulatory or legal enquiries that may arise many years after a grant decision.  We regularly review the personal data we hold to ensure it remains relevant, proportionate and necessary.

  1. Your Rights

Your Rights

Under UK GDPR, individuals have the right to:

  • Access their personal data
  • Request correction of inaccurate data
  • Request erasure of data (in certain circumstances)
  • Request restriction of processing
  • Object to processing based on legitimate interests
  • Request data portability
  • Withdraw consent at any time (where consent is relied upon)

Requests should be made in writing, sent by email, using the contact details above.

We will respond to data protection requests within one month of receipt, in accordance with UK GDPR.

  1. Data Protection Concerns and Complaints

If you have any concerns about how we use your personal data, please contact us in the first instance using the details above. We aim to handle concerns proportionately and in line with our Complaints Policy.

You also have the right to raise a concern with the Information Commissioner’s Office (ICO).  We pay an annual fee to the ICO for inclusion on their registration database.

In the event of a personal data breach that is likely to result in a risk to individuals’ rights and freedoms, we will report the breach to the Information Commissioner’s Office within 72 hours and notify affected individuals where required by law

Information Commissioner’s Office
www.ico.org.uk

  1. Changes to This Policy

We may update this Privacy Policy from time to time. The most recent version will always be available on request or on our website (if applicable).

Version: 2.0 – January 2026

Approved by Simon Barnettt, on 27 January 2026.

COMPLAINTS POLICY

To access our complaints policy click here: Complaints Policy