We (“we”, “our” or “us”) are the Internet Watch Foundation (“IWF”) whose registered office is Discovery House, Vision Park, Chivers Way, Histon, Cambridgeshire, CB24 9ZR. Our charity registration number is 1112398 and company registration number is 34226366.
You (“you” or “your”) are the Data Subject and user or viewer of our web site.
We are the Data Controller of the personal data we collect about you.
This privacy notice explains the who, what, when, where and why with respect to your personal data we process. It covers the following:
We really value the support we receive from the public; our members, partners and stakeholders and we take your privacy seriously. We are fully committed to compliance with applicable data protection laws, and we keep up-to-date with legislation changes.
In processing child sexual abuse material for the fulfilment of our remit and to the extent that this is personal data, we are doing so for reasons of substantial public interest as a relevant self-regulatory authority which is recognised within the Memorandum of Understanding between the Crown Prosecution Service (CPS) and National Police Chief’s Council (NPCC). Further information can be provided on request.
We will keep your personal data secure and confidential and will only use it for the purposes intended. At no time will we sell your personal data.
In adhering to the GDPR we are committed to protecting Personal Data in accordance with the following:
Data must be processed lawfully, fairly and in a transparent manner.
Data must be obtained for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Data processed must be adequate, relevant, and limited to what is necessary.
Data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure data that are inaccurate, are erased or rectified without delay.
Data must not be kept for longer than is necessary for the purposes for which the data are processed.
Data must be processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, using appropriate technical or organisational measures.
The Personal Data, as defined under the GDPR, which we process includes certain information which can be used to potentially identify you.
Although we do not currently collect and/or process Special Category (sensitive) Personal Data, should this change, we shall inform you and explain any further protections that we may implement.
The Personal Data we collect about you is as follows:
|Our Capacity:||Data Controller|
|Purpose/Activity:||Operational management of the platform|
|Type of Data:|
Web server logs
Identity: IP Address
Other: Site usage information including URL.
|When:||Ongoing basis during system use|
|How Long:||Deleted after a period of 50 months|
|Lawful Basis:||Legitimate Interest|
Operational management of the platform to ensure the performance and capacity of the service meets service level agreement targets
Type of Data:
Identity: IP Address, temporary unique user identifier
Stored as cookies and other local storage mechanisms.
See separate Cookie Notice.
Ongoing basis during system use
See separate Cookie Notice.
During our relationship with you and providing this website to you, we currently engage the following parties as Data Processors, all of whom we have assessed for their compliance with relevant data protection legislation:
Other than as set out above, we do not transfer Personal Data outside the United Kingdom (UK) if you are based within the UK.
If you are based outside of the UK, to provide our services which include contacting you, we shall be obliged to send the Personal Data outside of the UK.
Whenever we transfer Personal Data to a Data Processor or third-party outside of the UK, we have ensured that appropriate measures, as allowed for by the GDPR, are in place to continue the ongoing protection of the Personal Data.
Where we provide links to other websites that are not owned or managed by the IWF, clicking on those links may allow third parties to collect or share data about you. We do not control these websites and cannot be held responsible for the privacy of data collected by those sites.
You should consult each website’s respective Privacy Notice or policy if you have any concerns or would like further information.
You have the following rights under the GDPR, though some may not always apply depending upon the lawful basis of processing of the Personal Data, or other relevant circumstances:
If you make a request relating to any of the rights listed above, we will consider each request in accordance with all applicable data protection laws and regulations and respond in the first instance within one month of receipt.
You may make a request by:
Emailing: firstname.lastname@example.org; or
Writing to: Data Protection Officer, The Internet Watch Foundation, Discovery House, Vision Park, Chivers Way, Histon, Cambridge, CB24 9ZR
No administration fee will be charged for considering and / or complying with such a request unless the request is deemed to be excessive in nature. If a complex request is received, we may need to extend the period to a further two months to respond appropriately. We will inform you of the reasoning behind any extension.
Please be aware that during the Covid-19 pandemic there is a reduced workforce in our office therefore online contact is recommended to ensure a swift response to your query.
We are committed to taking steps to ensure that your Personal Data is protected, and to prevent any unauthorised access, unauthorised changes, accidental loss, destruction, unlawful processing, equipment failure or human error, and will do this through the continual monitoring of our security systems and by regular training and awareness raising.
We are an ISO27001 accredited organisation which means our information security management system has been independently verified as meeting the high standards expected of ISO27001 certification. You can therefore be assured of the seriousness with which we take the security of your data.
We take any potential personal data breach seriously and will fully investigate it. As per the requirements of the GDPR, we will record all data breaches and report to the Information Commissioner’s Office (ICO) within 72 hours if we assess necessary. If a data breach is assessed to be a high risk to data subjects, will contact you as soon as possible.
You can learn more about the obligations of organisations regarding personal data breaches on the ICO’s website .
Where we feel it necessary in the event of a breach, we may employ an independent consultant or advisor to investigate the matter on our behalf.
We are committed to monitoring this policy and reserve the right to make changes to this Privacy Notice. Each time you visit our website we would encourage you to check that no changes have been made to any sections that are important to you.
This notice was last updated in July 2021.
We try to meet the highest standards when processing Personal Data. For this reason, we take any complaints we receive about our services seriously. We encourage you to bring any issues, in relation to data privacy, to our attention if you think that our processing of your Personal Data is unfair, misleading or inappropriate, by email at email@example.com.
You have the right to lodge a complaint directly with the Information Commissioner’s Office (ICO) if you believe your data has not been processed by the IWF in the stated way, or in accordance with relevant data protection legislation.
You can contact the ICO on their helpline – 0303 123 1113 or via their website – www.ico.org.uk.