Privacy Notice
This notice applies to:
- Peoples Momentum – an unincorporated association
- Momentum Campaign (Services) Ltd.
We refer to the above collectively as “Momentum”, “we” and “us” in this document unless otherwise specified.
Who collects your data?
Momentum is an unincorporated association. To carry out certain legal and administrative functions—such as employing staff, entering into contracts, and managing finances—we have established a limited company, Momentum Campaign (Services) Ltd (henceforth ‘MCS’), which acts on behalf of the association in these matters.
For the purposes of data protection law, MCS is the data controller of the personal data we collect. It carries out data processing activities on behalf of the association and ensures compliance with relevant legal obligations.
What data is collected?
The vast majority of the personal data we control relates to our members and supporters. A ‘member’ is anyone currently paying a subscription to Momentum. A ‘supporter’ does not pay a subscription but either actively participates in Momentum activities or else is signed up to our mailing list.
We also collect and process personal data relating to individuals other than members and supporters. This includes suppliers, journalists, individuals from allied campaigns or organisations, high profile individuals, politicians and other public officials, and electors.
Below is a list of personal data we may collect during your time as a member or supporter, or if we process your data in some other capacity. Not all categories will be relevant to you. There may also be times when you have volunteered this information and when you have the opportunity to opt-out of providing certain pieces of information at various times.
- Title, first name, last name, email address, post code, home address, telephone number(s), date of birth.
- Membership to a trade union, socialist society or any affiliated groups;
- Whether you have a disability or any special need, specifically if you are a volunteer or participant in our activities.
- Any roles and responsibilities you have as a Labour member or Momentum member, any Labour / Momentum groups you attend, your attendance and behaviour (how you voted etc.) at any associated events.
- Any communications we have with you which may be over email, SMS, telephone, instant messaging services or face to face.
- Political affiliations and political opinions you have expressed at meetings, events or online.
- Your job title, name of your business or employer, industry sector, work address, details of services you have provided to us, your CV;
- Any type of Labour candidacy selection application forms or outcome information from any selections.
- Bank details including account holder name, sort code, account number, subscription amount, donation amounts and financial activity related to Momentum;
- Any personal data you volunteer in any free text fields in any paper-based or digital surveys, questionnaires or webforms that are captured by Momentum personnel.
- Publicly available information on websites incl. Companies House, electoral registers, news and broadcast media or historical publications etc.
- Posts by or relating to you on social media posts (X, Meta platforms, YouTube etc.).
- Further information about yourself, your family and your circumstances you disclose in conversation and/or communications with/for Momentum.
- Details of any suspensions/expulsions from any political party or from Momentum, any safeguarding issues, details of any complaints or concerns you have made or that are against you, details of complaint resolution including any sanctions, and information on any criminal activity.
- Reasons why you discontinued your membership and all related information [NOTE: we retain most ex-member personal data in order to maintain relationships with our networks and allies and because we have a legitimate interest to keep a record of who has been a member of our organisation. From time to time we may contact ex-members to invite them to rejoin. As an ex-member you are free to opt-out of any contact from us at any time.].
- Personal information related to our equality and diversity policies (sexuality, religion, gender, class, race etc) specifically if you’re a volunteer or participant in our activities.
- Aggregated data, and pseudonymous and anonymous data we have created from your personal data but we are unable to use to directly identify you.
Information on ‘Special Category’ personal data
Momentum may need to process more sensitive types of personal data known as special category data under the UK GDPR. This includes data revealing political opinions, trade union membership, health, sexual orientation, religious or philosophical beliefs, and racial or ethnic origin. For more on what counts as special category data, see the Information Commissioner’s Office website here.
If you become a member, your membership may indicate your political opinion and therefore qualify as special category data. We rely on your explicit consent to process your data, including communicating with you and managing your membership.
If you sign up as a volunteer and we record special category data—such as disability, sexual orientation, or political opinions—for the purpose of assigning you suitable tasks or supporting your role, we process this data under Art. 9(2)(d): as part of our legitimate activities as a not-for-profit with a political aim, and only in relation to members, former members, or others in regular contact with us.
Where you have manifestly made special category data public (e.g. if you’re a pundit discussing your sexuality in public), we may rely on that as a lawful basis for processing.
Where do we obtain your data from?
We collect your personal data in a variety of ways. We refer to ‘direct data collection’ when data is collected directly from you and we refer to ‘indirect data collection’ when the data is not collected directly from you. Here are a list of ways we may obtain your data:
- From yourself when you became a member or join our mailing list (direct data collection).
- From yourself via email, telephone or face to face communications we have with you (direct data collection).
- From yourself when you add any information about yourself to any of Momentum’s I.T. systems to which we give you access (direct data collection).
- From yourself when you apply for an elected position within Momentum or some other activity that involves selection (direct data collection).
- From yourself when you make a payment to us (direct data collection).
- From any photographs/video taken by any photographer or videographer on behalf of Momentum at a meeting or event (indirect data collection).
- From yourself when you complete a survey or other webform presented to you by Momentum or a survey/web-capture provider who is under contract to Momentum (indirect data collection) (also, please refer to that platform’s privacy notice).
- From other Momentum members or supporters who know you or have information about you (indirect data collection).
- From yourself when you have interacted with Momentum on the doorstep, during phonebanking, at an event, online, or other (direct data collection).
- From publicly available websites including Companies House, social media sites, news outlets, and online publications etc. (indirect data collection).
- We may collect personal data that you manifestly choose to make public, including via social media or in publications you have drafted (direct data collection).
- From public bodies such as regulators (e.g. Information Commissioner’s Office, Electoral Commission, HMCS etc) (indirect data collection).
What do we use your personal data for and what is our lawful basis for using it?
We rely on a variety of lawful bases to process your personal data depending on the data subject and nature of the processing. Here are a list of processing activities we undertake for each of the lawful bases stipulated in the GDPR (not including public task, which is not relevant to Momentum):
Necessary for the performance of a contract:
- If you become a member: to process your membership application and manage your membership including processing membership subscriptions, donations and expenses.
- If you are a member: to communicate with you on constitutional and administrative matters e.g. regarding subscriptions, voting rights and processes in internal elections, disciplinary matters, organisational changes etc. [NOTE: we will continue such communications with you even if you unsubscribe to mailing list]
- If you are a member: to handle complaints made by you or against you, to conduct an investigation, gather evidence and make disciplinary decisions and apply sanctions; if appropriate, to liaise with the police, health service providers, charities or regulatory bodies on such matters.
- If you are one of Momentum’s elected representatives or candidates in internal elections: to process your applications, communicate with you throughout the election, and publicise information about you or your candidacy / elected position.
- If you are a service provider: to instruct you, process your financial information, pay your invoices and discharge contractual obligations we owe to you.
Consent:
- If you are a member: to communicate to you, whether by email, SMS, instant messaging service or phone, information relating to our campaigns, news, events, fundraising and how to get involved [NOTE: we will continue to send you such communications in the event that you cancel your membership unless you explicitly instruct us to cease such communications; either way you may unsubscribe from this mailing list at any time during or after membership].
- If you are a member: to share your contact details and membership information with your local branch so they can communicate with you on local activities and news [NOTE: branches have tiered secure access based on the branch’s proven record of activity and on condition of their data protection administrator completing GDPR training].
- If you are a supporter (as opposed to member) who has signed up to our mailing list: to communicate with you via email regarding our campaigns, news, events, fundraising and how to get involved.
Legitimate interest:
- If you have signed up as a volunteer: to communicate with you during campaigns in which you’re helping out. We will often supplement your data with internal notes on your activities, experience, bio, views etc. if it’s necessary to achieve our legitimate purposes and to ensure we give you work and opportunities that are relevant and meaningful.
- If you are a member or supporter: to help ensure our communications are relevant and meaningful, we may supplement the information you provide us with internal notes, tags, lists, filters, or classifications—such as whether you’ve attended an event, opened our recent emails, or engaged with particular campaigns. We do this to understand levels of engagement, segment our audience, and improve how we inform supporters about news, events and ways to get involved. This profiling does not involve automated decision-making that has legal or similarly significant effects.
- If you are a member or supporter: to telephone you in order to develop relationships with you, build networks, and inform you of our activities and ways you can get involved.
- If you are a member of supporter: to use the personal data you provide for internal research, statistical analysis, and reporting. This helps us understand our membership, improve our activities, and make informed decisions. We only use this information in aggregate or non-intrusive ways and never use it to make decisions about individuals.
- If you are a member or supporter: we may, on occasion, share a limited amount of your personal information with trusted partner organisations who share Momentum’s aims and values, and with whom we are undertaking joint campaigning activity. This is done strictly under the supervision of Momentum staff, for specific, limited purposes that support our legitimate interest in furthering our campaign goals. We will only do this where we are confident it does not override your data protection rights and freedoms, and where appropriate safeguards are in place.
- If you are an ex-member: we retain at least some of your data (including name, contact details and level of involvement) to maintain relationships with allies and networks and because we have a legitimate interest to know who has been in our organisation [NOTE: we will never send you unsolicited direct marketing by electronic communications on the basis of legitimate interests, but only on your consent]
- If you are an influencer, pundit, trade union official, leading campaigner or high profile individual: to collect your contact information and information on your views, activities and behaviour where it is publicly available or revealed in our own interactions with you or your networks. and to use that information to contact you on matters relevant to Momentum’s purposes.
- If you are an activist who shares our values and aims: to collect your contact information and information on your views, activities and behaviour, usually directly from you but also sometimes where it is publicly available or revealed in our own interactions with you or your networks. and to use that information to contact you on organisational matters.
- If you are a Labour councillor, local candidate, Labour MP or parliamentary candidate who we deem are sympathetic to Momentum’s mission: to collect your contact information and information on your views, activities and behaviour where it is publicly available or revealed in our own interactions with you or your networks, and to use that information to contact you on matters relevant to Momentum’s purposes including to support your electoral campaigns.
- If you are a journalist: to collect your contact information and information on your journalistic activities for the purpose of briefing you.
Vital interest:
- To handle serious complaints made by you or against you on matters which might endanger life or health, to conduct an investigation, gather evidence and make disciplinary decisions and apply sanctions; if appropriate, to liaise with the police, health service providers, charities or regulatory bodies on such matters.
- To support members and supporters who are at risk of mental or physical harm in the context of Momentum activities.
Legal obligation:
- If you have made financial contributions to Momentum: we will retain your financial information for 7 years as per HMRC guidance after which time we will securely destroy your financial information.
- To respond to subject access requests or any other exercise of a data subject’s right under the GDPR.
- To communicate with regulators (incl. the Information Commissioner’s Office and Electoral Commission) and discharge our compliance duties under relevant legislation.
- To communicate with the police or other authorities in criminal matters;
- To conduct litigation and legal negotiations.
How your data is kept secure
We have physical, electronic, and managerial procedures to help safeguard, prevent unauthorised access to your data, maintain data security, and correctly use your information. These include protecting your information using firewalls, anti-malware, password protection and, where appropriate, encryption.
We use Paypal and GoCardless in order to process financial transactions. These services may process your financial details. Both of these services are registered with the Financial Conduct Authority and use advanced encryption technology in order to protect transactions and your data.
We train our staff and super volunteers to understand data protection and to keep your data secure. We ensure that all individuals who have access to your data sign data protection agreements and non-disclosure agreements, which detail their duties to keep your data secure and not to disclose it to anyone else without our authorisation.
Who has access to your data
We will never sell your data but sometimes it is necessary to share your information, either within the wider Momentum organisation, with other organisations or individuals who share our values and aims and with whom we are campaigning, with our service providers or with regulatory bodies. Data is only ever shared where we have a lawful basis to do so.
We may share data with:
- The wider Momentum organisation such as our most dedicated branches
- Allied trade unions
- Elected representatives who support Momentum
- Campaigns that support Momentum
- Service providers (incl. accountants, HR consultants, lawyers)
- Online platforms (incl. Nationbuilder, Google, Paypal and GoCardless)
- Regulatory bodies (incl. ICO, Electoral Commission etc)
We may, from time to time, share limited amounts of your information with allied and trusted organisations for the purposes of joint campaigning. This is done strictly under the supervision of Momentum staff, for specific, limited purposes that support our legitimate interest in furthering our campaign goals. We will only do this where we are confident it does not override your data protection rights and freedoms, and where appropriate safeguards are in place.
In Momentum, only those staff and volunteers authorised to process your data can access it. We make sure that staff and volunteers see only the data that is necessary to perform their tasks.
Our file management system primarily relies on Google Workspace which we organise into distinct shared drives each of which have appropriate access settings for relevant staff.
If you are resident in Wales or Scotland and join Momentum the unincorporated association as a member, then you will automatically become a member of our sister organisations Welsh Labour Grassroots or Campaign for Socialism respectively, and the information you provide us when joining will be shared with them.
International Transfers
We may need to transfer your data to jurisdictions outside the UK. Such international transfers will invariably take place in the context of using digital platforms whose servers are in foreign jurisdictions. Such platforms we use include:
- Google (Google Workspace)
- Nationbuilder
- Slack
- Meta
We aim where practical to always use platforms whose servers are in jurisdictions that are the subject of an adequacy decision under Art. 45 of the GDPR or, in the case of America, a company that is self-certified under the Data Bridge. Further, or in the alternative, we expect such platforms to adopt appropriate safeguards such as standard contractual clauses or binding corporate rules.
How long will we keep your personal data?
We retain your data only as long as we deem it necessary, relevant and adequate in relation to the purpose of its collection. The retention period will vary depending on the nature of the data and the context. We keep a record in a Register of Processing Activities of retention periods and justifications for all data assets we hold, as per Art. 30 of the GDPR.
If you have signed up to our mailing list as a member or supporter, we will retain the contact data you have provided us until you tell us to delete it and we will continue to mail you our events, news and ways to get involved until you tell us not to.
If you are a member who cancels your membership, we will retain at least some of your data (including name, contact details and level of involvement) until you tell us to delete it and we will continue to mail you until you tell us not to. Ex-members can of course tell us to stop all such contact at any time. We retain the data of ex-members in order to maintain political relationships with our allies and networks and we may contact ex-members in the future to invite them to rejoin. We also retain ex-members’ data on the basis of keeping people safe from any harm, and our legitimate interest in knowing who has or has not been a member in the past when there may be future safeguarding or legal concerns or requests for member information.
If you submit an erasure request, we will delete your data from any and all locations we hold your personal data although we will retain your information if:
- It has been, or is being used within a complaints, disputes or grievance process and we may need to evidence this in the future to defend legal claims.
- We need to keep it to comply with a legal obligation.
- Erasing your data would prejudice scientific or historical research.
- There is information associated with your data which is of a safeguarding concern to yourself or others.
- Erasing will mean we lose our logs of when you made any data protection rights requests.
- Erasing will mean we are unable to understand if you have been a member in the past.
What are your privacy rights?
Under the GDPR you have the following rights regarding your personal data:
- Right to be informed – You have the right to be told how we use your personal data. This privacy notice is part of fulfilling that right.
- Right of access – You can request a copy of the personal data we hold about you.
- Right to rectification – You can ask us to correct or complete inaccurate or incomplete data.
- Right to erasure – In certain circumstances, you can ask us to delete your personal data. This is also known as the “right to be forgotten”.
- Right to restrict processing – You can request that we limit how we use your data in certain circumstances.
- Right to data portability – You have the right to receive your data in a commonly used, machine-readable format, and to ask that we transfer it to another organisation.
- Right to object – You can object to our use of your data where we rely on legitimate interests or carry out direct marketing.
- Rights in relation to automated decision making and profiling – You have rights where automated processing significantly affects you, though we do not typically engage in such processing.
To exercise any of these rights, or if you have questions about how we process your personal data, please contact us at: [email protected].
If you ask for your data to be erased, we will in some cases temporarily transfer your data to a secure backup until we can safely destroy it.
If you are not satisfied with how we respond, you also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at www.ico.org.uk.