Privacy Notice

Section 1 - Our approach to personal data processing

We really value the support we receive from the public; our members, partners and stakeholders and we take your personal data privacy seriously. We are fully committed to compliance with applicable data protection laws and we keep up-to-date with legislation changes. 

In processing child sexual abuse material for the fulfilment of our remit and to the extent that this is personal data, we are doing so for reasons of substantial public interest as a relevant self-regulatory authority which is recognised within the Memorandum of Understanding between the Crown Prosecution Service (CPS) and National Police Chief’s Council (NPCC). Further information can be provided on request.

We are an ISO27001 accredited organisation which means our information security management system has been independently verified as meeting the high standards expected of ISO27001 certification. You can therefore be assured of the seriousness with which we take the security of your data.

We will keep your personal data secure and confidential and will only use it for the purposes intended. At no time will we sell your personal data.

We may disclose your personal information to third parties if we are legally obliged to; or in order to enforce or apply our terms of use for our website or other agreements; or to protect the rights, property or safety of the IWF, our donors or others. 

Where we provide links to other websites that are not owned or managed by the IWF we cannot be held responsible for the privacy of data collected by those sites. You should consult each website’s respective Privacy Notice or policy if you have any concerns or would like further information.

Section 2 - Cookies

Our website is maintained by Crafted who are contractually bound to keep any personal data processed on our behalf via the website secure.

We use Google Analytics to interpret our website’s traffic to ensure it is working in the best way possible and to allow us to continually improve the experience for users. 

Any information gathered for this purpose is for internal use only. The Internet Protocol (IP) address of the computer or other device you use to access the website is used to gather anonymised statistical data. It is not retained with a view to identifying you personally by either ourselves or Google Analytics. We have a legitimate interest in monitoring the use of our website which is for the purpose of continual improvement.

You do however have the option to prevent Google Analytics from using your data. You can find more information on this here

You can find more information on how Google generally uses your data here

Cookies used on our site are as follows. 

Cookie

Provider

Purpose

Duration

Consent

Google

Used to detect if the visitor has accepted the marketing category in the cookie banner. This cookie is necessary for GDPR-compliance of the website.

 

2 years

CookieConsent

IWF

Stores the user's cookie consent state for the current domain

1 year

__cf_bm

report-uri.com

This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.

1 day

lang

Linkedin

Remembers the user's selected language version of a website

Session

UserMatchHistory

Linkedin

Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.

29 days

bcookie

Linkedin

Used by the social networking service, LinkedIn, for tracking the use of embedded services.

2 years

lidc

Linkedin

Used by the social networking service, LinkedIn, for tracking the use of embedded services.

1 day

AnalyticsSyncHistory

Linkedin

Used in connection with data-synchronization with third-party analysis service.

29 days

NID

Google

Registers a unique ID that identifies a returning user's device. The ID is used for targeted ads.

6 months

p.gif

Typekit

Keeps track of special fonts used on the website for internal analysis. The cookie does not register any visitor data.

Session

vuid

Vimeo

Collects data on the user's visits to the website, such as which pages have been read.

2 years

_ga

Google

Registers a unique ID that is used to generate statistical data on how the visitor uses the website.

2 years

_gid

Google

Registers a unique ID that is used to generate statistical data on how the visitor uses the website.

1 day

_gat

Google

Used by Google Analytics to throttle request rate

1 day

Section 3 - Reports

We understand how distressing it can be to stumble across potentially illegal child sexual abuse material and are therefore extremely grateful for the reports we receive that help us in our work. We do recognise that reporters can be concerned about doing this.

You can remain completely anonymous when reporting something you’ve stumbled across online.

If you’d like to know what happened with your report however, then the minimum we need is your name and an email address so that we can send you a confirmation email with a unique reference number. You may also supply an organisation name if reporting on behalf of your company. By providing your contact details to us, you consent to us storing them for this purpose. Note you will be directed to this Privacy Notice before progressing to the submission of your report where you do so non-anonymously.

If you do indeed choose to provide your details, they will be recorded in our reporting system for 90 days to allow for that communication. They will then be automatically deleted after those 90 days. Please be aware that if you report more than once with the same details, each instance of reporting starts that 3-month retention period again. Therefore, if you do not wish for your details to be retained for that period following each report you may prefer to go back a step and report anonymously.

Be assured, your personal details would not be disclosed to third parties without your express written permission. However, in rare circumstances it may be necessary or advisable for us to disclose your details to the police or other international law enforcement agencies in order to assist them with enquiries they are pursuing or where not to do so would pose a potentially immediate risk of serious harm to a child or other person(s). In such cases we regard the disclosure to be either in the public interest, or as a legitimate interest for the purpose of preventing the spread of child sexual abuse material. 

Reports received via our International Portals come directly into our UK-based reporting system. At no time are reports (nor reporter details) viewed or accessed by any persons outside of the UK.

Section 4 - IWF Members and our Partnerships

Members

If your organisation chooses to join our Membership, our Development team will be in touch to explain the details they’ll need from you that will be used to communicate with you in the delivery of your chosen services. Key to this for example will be the contact details (names, work numbers and work email addresses) of your designated team members so that we can successfully work together.

In processing Member applications, we utilise Umbraco Forms to collect relevant business information (see their privacy page for further information) and we also use AdobeSign for the processing of subsequent contracts. More information on AdobeSign can be found on their website here

In processing this information with a view to forming a business relationship we’re initially processing the data with a legitimate interest. 

We work with a number of organisations in this way to forge successful business partnerships. In working with any third parties we ensure robust due diligence is carried out, and formal arrangements are in place to ensure the security and confidentiality of any personal data that may be processed in working with them.

If you require further information, you can contact our Development team.

Partnerships

We work in partnership with a number of highly regarded, prestigious and varied organisations across the world to help us in our mission to eliminate child sexual abuse imagery online. Examples of the types of organisations we work with include; other NGOs, the internet industry, INHOPE – the International Association of Internet Hotlines, Government and law enforcement agencies around the world.

These partnerships come in many forms and are managed through a combination of formal agreements, legal contracts, initiatives and collaborations. Be assured that where personal data (including that of our staff or any contractor(s) working on our behalf) is processed in order to carry out any such partnership, it is done so securely and within the confines of the law. Further information on our partnerships can be found within our website.

In working with organisations around the world we need to be sure data is not transferred outside the European Economic Area without appropriate controls being in place. If you are in the European Union, and your personal data is transferred to a third-party service provider outside the European Economic Area (EEA), this will occur under a safeguard mechanism recognised by the European Commission as providing adequate protection for your personal data.

Report Remove

To support young people to remove sexual images of themselves online, the NSPCC and the IWF have developed the Report Remove tool, in partnership with age verification app, Yoti. Report Remove can support a young person in reporting sexual images or videos shared online and enables the young person to get the image removed if it is illegal. The NSPCC’s Childline service ensures that the young person is safeguarded throughout the process. 

Information for children using Report Remove 

There are 3 organisations that help you report your image using Report Remove. These are Childline, IWF and also Yoti if you are 13 or older. All of them have a responsibility to keep all of your personal information safe.  

  1. We’ll ask you to choose your age range (under 13, 13-15,16-17, 18 and over). If you’re under 13, you’ll go straight to step 3. If you’re aged 13 or older, us at Childline will ask you to visit Yoti. The only information we will share with Yoti is that you are wanting to prove your age to use Report Remove.  
  2. Once you prove your age using Yoti, you will come back to Report Remove on Childline. The only information Yoti will share with Childline is confirmation that you’re younger or older than 18.   
  3. We’ll then ask you to create or sign in to a Childline account. Then you’ll go to the IWF website to share the content you want removed. Childline will only share this information with IWF: that you're younger than 18, the age range you selected at the start and a unique number that is created when you use Report Remove. 
  4. After your report has been passed to the IWF, they will tell Childline if they were able to take the images or video down from the internet, and why. This is so Childline can let you know what happened.   

Information you give to Childline: Any information you give Childline will always be treated carefully and in line with their Privacy Policy. This means that any information you give them as part of Report Remove will only be used to help us at the IWF review your report and for Childline to keep you safe. This will include the age range that you select and a unique number that’s created when you go onto our IWF website. Neither Childline nor the IWF will share any of your information with Yoti.  

Information you give to us at the IWF: The only information you will give us are the images, videos or URLs you report. There is space to add information such as where the image or video is on a webpage. We will process this in line with the rest of this Privacy Notice. Illegal images/videos may be kept by the IWF for up to 2 years in line with what’s called a ‘Memorandum of Understanding’ that we have with the police and the Crown Prosecution Service (CPS). Any images/videos that we decide are not illegal may be kept for up to 6 months max to allow time for quality checking and any follow up questions, they will then be deleted. Childline will never see what pictures, videos or URLs you share with us. The only information we share with Childline apart from your case number is whether or not we could take down your images or videos, and why, so they can let you know.  

Information you give to Yoti: You may need to use Yoti to confirm your age if you’re over 13. This may involve taking a selfie, so Yoti know it is you who are proving your age, and uploading a picture of some ID. Any personal data you send Yoti - like your photo, date of birth or address - is scrambled with a high level of encryption so that even if it was stolen, no one could use it to identify you. The only information Yoti shares with Childline is confirmation that you’re under or over 18.  

The UK Safer Internet Centre

The UK Safer Internet Centre is a partnership between the IWF, South West Grid for Learning (SWGfL) and Childnet. We provide a range of activities to promote the safe and responsible use of technology to children. The UK Safer Internet Centre has a dedicated website which is coordinated by the lead partner – SWGfL and you can find an updated Privacy Policy on that website. You can find out more about the partnership here.

INHOPE

We are a founding member of INHOPE, the International Association of Internet Hotlines. INHOPE brings together 46 hotlines worldwide. Within this membership, we exchange information and experience. We utilise the ICCAM platform which enables efficient and secure processing of illegal content between hotlines. Further information about INHOPE can be found here and their Privacy Policy can be found on their website.

For more information regarding our partnerships, do explore our website which has detailed pages on the various collaborations and partnerships we’re involved in.

Section 5 - Communications

We want to be sure that where we communicate directly with any of our stakeholders we do so with their full and clear consent. We will always aim to be transparent about why we’re contacting and the ways in which people can end that contact if they choose to. Our primary means of communicating to our interested parties and stakeholders is via regular newsletters and our social media feeds.

Newsletters

If you wish to receive our general newsletter you can subscribe at the bottom of our website’s homepage. This will require a name and email address and you will also be required to verify your email address before you’ll be added as a recipient. You can ask to be removed from this mailing list at any time via membership@iwf.org.uk or dpo@iwf.org.uk and this will be expeditiously actioned. 

As newsletter recipients choose to receive this information, our lawful basis for processing personal data in this instance is consent.

Our Members, International Partners and IWF Champions are also offered a tailored newsletter which they can also subscribe to, or unsubscribe from, at any time.

Social Media

We regularly post articles and news that we feel could be of interest via our social media feeds such as Facebook, Twitter, LinkedIn and YouTube. It is the responsibility of users of those sites to maintain their own personal privacy settings however, we would not share any post that uniquely identifies someone without their permission. As the controller of our social media sites we reserve the right to have abusive or offensive content by users blocked or removed and will report any such behaviour to the social network at hand.

Section 6 - Recruitment and employees

Applications

If you choose to apply for a role with the IWF you will be asked to complete a standardised application form – we do not receive CVs or other formats of application.

Within that application form you will be asked for your name and contact details. We will also ask for your prior experience, your education, referees and we'll ask you to answer specific questions regarding the role you're applying for. This information will be accessible to our recruitment team only at this stage. 

We also ask you to provide equal opportunities information by way of a separate standardised form. You do not have to complete it if you do not wish to – it will not affect your application if you choose not to. The information recorded will not be made available to anyone outside of our recruitment team. Any information provided on that form is for the production and monitoring of anonymised equal opportunity statistics.

You may also be asked to complete a self-disclosure form in relation to cautions, convictions, court marshals or pending court action or police investigations. Again, this information will be treated confidentially and disposed of appropriately.

Shortlisting and interviews

The relevant hiring Manager(s) will shortlist candidates for interview based on the requirements of the role advertised. The Business Officer will be in touch with applicants to make arrangements for any interviews and to discuss the format that these may take. 

Transparency regarding Hotline roles

Roles that require access to the Hotline include an additional ‘personal interview’ with a counsellor and the COO, and a subsequent controlled image viewing session with senior members of the Hotline team. These additional welfare measures are in place to assess the resilience of candidates and allows them time to reflect on whether the role is something they can undertake.

The welfare of our staff is of paramount importance to us and those that have Hotline access have monthly counselling and an annual psychological assessment to support them in carrying out these roles.

Offer stage

Employment offers are subject to the following:

  • Provision of evidence of entitlement to work in the UK;
  • Reference checks;
  • Completion of a pre-medical questionnaire (see below);
  • Completion of an Enhanced DBS check.

Pre-medical questionnaire

Heales Medical provide our Occupational Health service. If we make you a conditional offer, we will ask that you complete a questionnaire which will help to determine if you are fit to undertake the work that you have been offered, or advise us if any adjustments are needed to the work environment or systems so that you may work effectively.

They will contact you directly with the questionnaire which will take you to their website. The information you provide will be processed by Heales Medical who will provide us with a 'fit to work certificate' or a report with recommendations. You are able to request to see the report before it is sent to us. 
Once the above has been satisfactorily completed an employment contract can be issued.

Our lawful basis for processing the personal data involved in recruitment is for the purpose of entering into a contract. 

Applicants can withdraw their application at any time and their information will be appropriately and securely disposed of in that case.

Retention of personal data

Personal information from unsuccessful candidates will be retained for a maximum of six months following closure of the job posting in case of queries after which time it will be appropriately and securely disposed of.

We retain personal data with respect to our current employees to allow us to fulfil our requirements of their employment contract and relevant legal obligations. We also utilise the DBS update service to ensure the enhanced disclosure and barring service checks remain up to date for all employees – a condition of their contract.

We retain data with respect to former employees for a period of six years following the end of their contract in case of reference requests. This information will subsequently be appropriately and securely disposed of. 

Further information for staff regarding the processing of their personal data can be found in the internal Staff Handbook.

Section 7 - Fundraising 

In order to meet our charitable objectives, we carry out fundraising activities to raise public awareness and to garner financial support for the important work we do. We do so in line with our Fundraising Policy.

We are a registered member of the Fundraising Regulator and are committed to abiding by the Code of Practice - the fundamentals principles of which are to act legally, be open, be honest and to be respectful. Responsible and lawful personal data processing is also a critical mandate of the code. 

In planning any fundraising activities or events we need to consider the ‘lawful basis’ – the reason, for processing any personal data to ensure we do so in accordance with the UK GDPR and the Data Protection Act 2018. 

The lawful bases under the UK GDPR:

  • Consent – you’ve explicitly consented to your personal data being processed for a specific purpose. 
  • Performance of a contract – a contract is in place with an individual/organisation and certain legal terms and conditions apply. 
  • To comply with a legal obligation – we may be subject to a legal obligation to process certain personal information.
  • To protect vital interests – if there is an immediate risk to someone’s health, we may need to process their personal data. 
  • Performance of a task carried out in the public interest – much of our core work is carried out for this reason as it is in the public interest to eliminate child sexual abuse material from the internet.
  • Legitimate interests – much of our fundraising activity as a whole will fall under this reason. i.e. processing certain personal data supports the core activities that we perform as a charity.
  • We manage your personal data within a secure Client Records Management (CRM) system which enables us to maintain accurate records. This system, as with the rest of information technology infrastructure, forms part of our ISO27001 Standard Information Security Management System (ISMS).
  • Note that victim identification is not within our remit. Where we use any case studies or ‘stories’ for our marketing or fundraising activities, the information therein has been adjusted and anonymised to protect the victims we see online. Any use of partner case studies – such as those of the Marie Collins Foundation will have been authorised and the individual’s consent sought before any such sharing or subsequent publication by us.

Section 8 - Your rights

If you wish to exercise any of your rights under the UK GDPR to make a formal Data Subject Access Request (DSAR) please write to us at dpo@iwf.org.uk

Your rights are:

  • Access to your personal information;
  • Objection to processing of your personal information;
  • Objection to automated decision-making and profiling (Note: the only activity we do that we consider involves 'automated decision-making' is our collection of Cookies that can be either consented to or not depending on your preference. We do not do any 'profiling');
  • Restriction of processing of your personal information;
  • Your personal data portability;
  • Rectification of your personal information; and 
  • Erasure of your personal information.

If you make a request relating to any of the rights listed above, we will consider each request in accordance with all applicable data protection laws and regulations and respond in the first instance within one month of receipt. 

No administration fee will be charged for considering and/or complying with such a request unless the request is deemed to be excessive in nature. If a complex request is received, we may need to extend the period to a further two months in order to respond appropriately. We will inform you of the reasoning behind any extension. 

Upon successful verification of your identity you are entitled to obtain the following information about your own personal information:

  • The purposes of the collection, processing, use and storage of your personal data.
  • The source(s) of the personal information, if it was not obtained from you.
  • The categories of personal data stored about you.
  • The recipients or categories of recipients to whom your personal data has been or may be transmitted, along with the location of those recipients.
  • The envisaged period of storage for your personal data or the rationale for determining the storage period.

You can make the above request by emailing dpo@iwf.org.uk  or by writing to:

Data Protection Officer 
The Internet Watch Foundation
Discovery House
Vision Park
Chivers Way
Histon
Cambridge
CB24 9ZR

We want to be sure that your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate.

You have the right to lodge a complaint directly with the Information Commissioner's Office (ICO) if you believe your data has not been processed by the IWF in the stated way, or in accordance with the UK GDPR. 

You can contact them on their helpline– 0303 123 1113 or via their website.

Personal data breaches

We take any suggestion of a personal data breach seriously and will fully investigate it. As per the requirements of the UK GDPR, we will alert the ICO within 72 hours if we believe a breach has occurred, and depending on the circumstances, also contact those who may be impacted. 

You can learn more about the obligations of organisations regarding personal data breaches on the ICO’s website here.

Where we feel it necessary in the event of a breach, we may employ an independent consultant or advisor to investigate the matter on our behalf.

Section 9 - Changes to this Privacy Notice

We reserve the right to make changes to this Privacy Notice. Each time you visit our website we would encourage you to check that no changes have been made to any sections that are important to you. This notice was last updated in [September 2021].