BEATSON CANCER CHARITY – PRIVACY NOTICE
Beatson Cancer Charity (“we”, “our”, “us”, “the Charity”), a charity registered in Scotland (Charity Number SC044442) and a company registered in Scotland (Company Number SC461242) recognise the need for appropriate protections and management of your personal information. When we collect and use your personal information in the way set out in this Privacy Notice, we are the controller for the purpose of Data Protection Legislation (defined below) and are responsible for your personal data.
This privacy notice also covers the rest of the Beatson Group. The Beatson Group is made up of:
For the most part this privacy notice refers to the activities of the Beatson Cancer Charity but where your personal information is collected by, shared with and/or used by one of the other organisations in the Beatson Group, this is explained in this notice.
We respect your privacy and are committed to protecting your personal data. This Privacy Notice will let you know how we collect and process your personal data when we interact with you (including when you donate to us or when you fundraise on our behalf or when you apply to work or volunteer with us) or provide services to you and when you visit our website (regardless of where you visit it from) and tell you about your privacy rights and how the law protects you.
When we refer to Data Protection Legislation, we mean the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) and the Data Protection Act 2018.
Personal information is information that can be used to identify or contact a specific individual, such as a name, address, telephone number, email address, etc., and online identifiers and location data such as IP addresses and mobile device IDs.
Special category data means personal information revealing your racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data; biometric data; data related to your health; or data concerning your sex life or sexual orientation.
Criminal convictions data is information relating to criminal convictions or your involvement in criminal proceedings.
A controller is someone who decides why personal data is to be collected and how it will be used and treated.
If you have any questions regarding this Privacy Notice you can contact us using the following details:
Beatson Cancer Charity
Beatson West of Scotland Cancer Centre
1053 Great Western Road
0141 212 0505
If you are unhappy with how we handle your personal information you can write to us using the contact details noted above and / or notify the Information Commissioner’s Office (ICO) (please see: https://ico.org.uk/concerns/ for more information). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
WHAT PERSONAL DATA DO WE COLLECT ABOUT YOU?
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
Identity Data includes first name, last name or similar identifier (such as date of birth or patient ID).
Contact Data includes personal or business address, personal or business e-mail address and personal or business telephone numbers.
Financial Data includes bank account and payment card details as well as gift aid registration details.
Technical Data includes internet protocol (IP) address, geographic location, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website. Where possible, we use aggregated data or anonymous information which does not identify individual visitors to our website.
Usage Data includes information about how you use our website and services and includes information about your service preferences and survey responses (where applicable).
Marketing and Communications Data includes your preferences in receiving marketing from us and your communication preferences.
Aggregated Data includes statistical data and/or data included within the NHS database for the purpose of public health reporting and research, however this will not identify you, either directly or indirectly and therefore is not considered personal data under the Data Protection Legislation.
Health Data includes information about your health, for example your diagnosis and treatment status and/or any relevant medical conditions and/or dietary requirements.
Employment Data includes information about your employment.
We may from time to time collect Special Categories of Personal Data about you (this could include details about your race or ethnicity, religious or philosophical beliefs, health, sex life, sexual orientation, political opinions, trade union membership and genetic and biometric data) for example engagement with our Care Services team who handle assisting you with employer relationships who will collect some elements of this in supporting you through their relationship with you and your employer, which is kept only within the Care Services area of our systems.
We also may collect data about any criminal convictions and offences, for example in some cases we carry out Protection of Vulnerable Groups (PVG) checks on those within our organisation who interact with patients or children and young people. This includes carrying out PVG checks on members of our Board, our fundraisers (where their role involves visiting schools for example), patient-facing voluntary roles and certain of our Directors.
HOW DO WE USE YOUR PERSONAL DATA AND WHY?
We may collect your personal data in the following ways:
Direct interactions. You may give us your Identity, Contact, Employment and Financial Data (and Health Data) by filling in forms or by corresponding with us in person or by post, telephone, e-mail or otherwise. This includes personal data you provide when you:
contact us about our services and/or enquire about our activities;
use our care services;
donate to us and/or fundraise on our behalf;
participate in an event;
agree to become an Ambassador for us;
complete a survey and/or questionnaire;
consent to us using your image, recording, voice or case study in our marketing materials;
contact us on and/or visit our website;
purchase or order our services and/or goods from our shop;
request marketing or other communications to be sent to you; and
give us feedback or otherwise contact us.
Automated technologies or interactions. As you interact with our website, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies. This may prevent you from taking full advantage of the website. You can easily restrict or block the cookies used by this website through your browser settings, the Help function within your browser will provide detailed instruction of how to change these settings. You can find more information about cookies at www.aboutcookies.org, this site provides instructions on how to block cookies on all the major browsers and also explains how you can delete cookies that have already been stored on your computer.
You should be aware that most cookies are harmless and restricting them may impact on the functionality of the websites you visit.
Third parties or publicly available sources. We will receive personal data about you from various third parties and public sources as set out below:
Technical Data from the following parties:
analytics providers such as Google based outside the EU; and
social media platforms such as Twitter, Facebook, Linked In or Instagram in regards to your interactions with us through those platforms.
Identity and Contact Data from publicly available sources such as Companies House and the Electoral Register based inside the EU.
Contact, Financial and Usage Data from providers of technical, payment and delivery services such as
Worldpay and Stripe based in the UK.
Identity, Contact, Financial and Usage Data from fundraising platforms such as Just Giving, Virgin Money Giving and CAF Charities Trust based in the UK.
Identity, Contact, Health and Usage Data from the NHS and your doctors, nurses and other medical practitioners where you have asked them to contact us or share information with us on your behalf.
Employment information or other information about you provided by a party providing a reference about you.
Identity and Contact information from our trading subsidiary where you make an enquiry of them which requires our input to answer or where you ask them to pass on your details to us.
We use your personal data on the following legal bases:
Where it is necessary for our legitimate interests (or those of a third party) and your interests and
fundamental rights do not override those interests.
Where we have a contract with you or are taking steps to enter into a contract with you.
Where you have given your consent to the use of your data.
Except as provided above, we will not share personal information with any other third parties without informing you beforehand, unless required by, or in connection with, law and / or regulatory requirements.
We will not sell, trade or lease your personal information to others.
EUROPEAN ECONOMIC AREA
The data that we collect from you will usually be stored inside the UK or the European Economic Area (EEA).
However, if you live or work outside of the UK or the EEA, we may need to transfer your personal data outside of the UK or the EEA to correspond with you. Where this applies, we will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy notice.
We also may transfer data outside the UK or the EEA where our, service providers host, process, or store data outside the UK or the EEA. Where we do this, we will ensure that the transfer is to a country covered by a decision of the European Commission or is otherwise made in circumstances where we have put appropriate safeguards are in place to protect your data in accordance with the Data Protection Law (e.g. standard contractual clauses, EU-US Privacy Shield compliant, etc.).
We will not hold your personal information for any longer than is necessary for the uses outlined above, unless we are required to keep your personal data longer to comply with the law and any regulatory requirements.
We generally apply the following retention periods if you fall under any of the named categories:
Patients – 6 years from the discharge of the patient from provision of our services.
Donors/Supporters/Fundraisers – 6 years from the end of the accounting period to which they relate, if the donor/supporter/fundraiser has not donated within this time. Otherwise, we retention your personal information for marketing purposes, where applicable, until you advise us that you no longer wish to be contacted in this manner.
Legacy Donors – For the lifetime of the offered Legacy from inception to the eventual usage of the gift, as Legacy Gifts could potentially take a long time to come in this data is held onto until we are advised that either, the Legacy Giver chooses not to donate, or the gift is receive and at that stage it is 6 years from the end of the accounting period to which they relate.
Ambassadors – 6 years from ending of Ambassador role.
Funding Applicants – Between 1 month to 7 years depending on the type of Fund applied for
Job or Volunteer Applicants – 6 months from the date on which we decide to appoint you or not to progress your application.
To find out more information about our retention periods, you can request a copy of our Retention Schedule from us using the contact details given above.
We are committed to protecting the privacy of young people that engage with us through our support services, our website, at events and fundraising initiatives. When we collect information about a child or young person who is under 18, we will always make clear the reasons for collecting this information and how it will be used.
In most cases we will only require information from an individual under the age of 18 in order to register their attendance at an event or to process a donation they wish to make. We may also send thank you letters following a donation or participation in a fundraising activity.
Our fundraising events request specific information about the age of participants and therefore, where you are under 18 and would like to get involved, we request that you have consent from a parent/guardian before giving us your personal information.
You have certain rights under the Data Protection Legislation which can be exercised by contacting us using the contact details provided above, including:
the right to access the personal data held about the you by making a subject access request in
accordance with the Data Protection Legislation. We may charge a reasonable fee when a request is
manifestly unfounded or excessive;
the right to have your personal data rectified if it is inaccurate or incomplete;
the right to request to have your personal data deleted in certain specific circumstances as set out in the Data Protection Legislation;
the right to request to restrict the processing of your personal data in certain specific circumstances as set out in the Data Protection Legislation;
the right to ask us not to process your personal data for marketing purposes (you may opt out of our marketing communications at any time by clicking the “unsubscribe” link at the end of our emails, sending us an “opt-out” text message and/or contacting our fundraising team at email@example.com), however we will maintain a suppression list with your name
and contact details to ensure that we do not continue to contact you after you have asked us to stop, or for purposes based on our legitimate interests;
the right to ask us to not undergo automated decision making; and
where you have provided consent, to request to withdraw such consent at any time.
Please note that if you choose to exercise your rights to have personal data restricted or deleted, then we may not be able to provide our services to you.
Further details about your rights can be found on the ICO’s website at https://ico.org.uk/.
LINKS TO OTHER WEBSITES
This Privacy Notice only relates to the Charity. If you link to a third-party website from our main website, you should remember that this is not our website and therefore you should read the terms and conditions and Privacy Notice on those third party websites before continuing. We are not responsible for any use of your information that is made by other websites and/or organisations.
UPDATES TO THIS PRIVACY NOTICE
We keep our Privacy Notice under regular review and the most current version can be found on our website or requested from us on the contact details given above.
If we make any substantial changes we will notify you by posting a prominent notice on our website.