How We Collect, Use and Store Personal Data
The processing of your personal data is carried out by or on behalf of Birthrights, a registered charity (number 1151152).
HOW CAN YOU CONTACT US?
The Data Protection Officer
℅ Ramon Lee and Partners
167 City Road
Telephone: 0300 400 3400
Birthrights is committed to data protection and to operating in a way that complies with the General Data Protection Regulation. We will comply with the eight enforceable data protection principles:
Lawfulness, fairness and transparency:
Personal data should be processed in a lawful, fair and transparent manner.
Personal data should be collected for specified, explicit and legitimate purposes and not further processed for additional purposes.
Personal data should be adequate, relevant and limited to the purposes for which it is processed.
Personal data should be accurate, and where necessary, kept up to date.
Personal data should not be kept in a form which permits identification of someone for longer than is necessary.
Integrity and confidentiality:
Personal data should be processed securely.
Organisations must be able to demonstrate compliance with data protection regulation.
Personal data shall not be transferred to a country or territory outside the European Economic Area
This policy explains what information we might collect from or about you, how we look after your personal information and what we do with it.
The policy applies to our use of personal information. This essentially means any recorded information held by us and from which a living individual can be identified. It will include a variety of information including names, addresses, telephone numbers, photographs of people and other personal details. It will include any expression of opinion about a living individual or any indication of our intentions about that individual We take the responsibility to look after your personal information very seriously.
HOW DO WE COLLECT YOUR INFORMATION?
We may collect information about you directly whenever you interact with us. For example, when you contact Birthrights regarding our activities, access our advice services, register as a supporter, attend a training event, send or receive information, engage with our social media or make a donation to us, you may provide us with your personal information.
We may also receive information about you when you interact with third parties with whom we work. For example, where you’ve made a donation to us through a third-party website (eg Virgin Giving) and given them permission to share your information with us.
We may supplement what we know about you with information that is available to the public. For example, in order to ensure that our communication with you is relevant and tailored to your background and interests, we may collect information about you from publicly-available sources either directly or through third-party subscription services or service providers. See ‘How will we combine and analyse the information we collect about you?’
We may collect aggregated or anonymous information when you visit our website or interact with our content. For example, we may collect information about the services you use and how you use them, like when you watch a video on YouTube, visit our website or view and interact with our ads and content.
WHAT INFORMATION DO WE COLLECT?
The information we collect from you directly or from third parties with whom we work, may include:
- email address,
- telephone number,
- contact preferences,
- bank account details for setting up a regular direct debit,
- credit card details for processing credit card payments,
- employer details for processing a payroll gift,
- taxpayer status for claiming Gift Aid, and
- date of birth, age, and/or gender, where appropriate (eg where registering for an event).
We may also collect and process information about your interactions with us, including details about our contacts with you through email, SMS, post, on the phone, or in person (i.e., the date, time, and method of contact), details about donations you make to us, events or activities that you register for or attend, and any other support you provide to us.
We may also collect and record any other relevant information you share with us about yourself, including your interests or your affiliations with other charities, community groups, your employer or a Birthrights corporate partner.
In order to ensure that our communication with you is relevant and tailored to your background and interests, we may supplement what we know about you with information that is available to the public. This allows us to better understand your interests, preferences, and level of potential engagement and/or donation, so that we can contact you in the most appropriate way and to ensure that we do not send you unwanted communications. The information we collect and process about you from publicly-available sources may include demographic information associated with your postcode or your address and an estimate of your age. We may collect this information ourselves or through third-party service providers.
Where we have identified that you may have the capacity or affinity to support Birthrights at a higher level, we may use the information we hold about you to identify connections between you and our existing circle of key supporters. We may also review other information about you that is available to the public through internet searches, subscription services, or public databases (eg, Companies House, the electoral register, or the land registry), such as information about corporate directorships, shareholdings, published biographic information, employment and earnings, philanthropic interests and networks, charitable giving history and motivations and relevant media coverage, so that we can engage with you in a more personalised way.
Both women and healthcare professionals can contact us via email for advice on issues relating to human rights in maternity care. To assist with these advice enquiries we may need to record sensitive information such as medical details about the woman and her baby, names of those involved (including healthcare professionals) and date of birth of the baby. We ensure this data is kept securely and only for as long as necessary to progress the advice case and any follow-up work. We only pass on sensitive data to third parties (such as peer organisations, law firms giving pro-bono support, or NHS Trusts you have asked us to write to on your behalf) with your express permission. We also keep anonymised records of all our advice enquiries to be able to monitor trends in the sorts of enquiries and number of enquiries. We may occasionally wish to contact you in future if your case might be relevant to research we are carrying out or to see if you would be interested in responding to a journalist request. We only do so where we have explicit permission to recontact you for these purposes.
DO WE PROCESS ‘SENSITIVE’ PERSONAL INFORMATION?
Under data protection law, certain categories of personal information are recognised as sensitive, including health information and information regarding race, religious beliefs, and political opinions (‘sensitive personal data’). In limited cases, we may collect sensitive personal data about you. We would only collect sensitive personal data if there is a clear reason for doing so, such as where we need this information to provide you with the advice you have requested about lawful maternity care (see above) or to ensure that we provide appropriate facilities at an event.
HOW DO WE USE YOUR INFORMATION?
We may use your information in a number of ways, including:
- To provide you with information, products or services that you have requested from us or that we feel may be of interest to you;
- To provide you with information about our work or our activities;
- To process donations we may receive from you;
- To provide you with advice about lawful maternity care and/or to contact third parties involved in your case with your advance permission
- To fundraise in accordance with our internal policies and procedures;
- For administrative purposes (for example, we may contact you regarding an event for which you have registered, or with a query regarding a donation you may have made to us);
- For internal record keeping relating to any donations, feedback, or complaints;
- To invite you to participate in voluntary surveys or research;
- To contact you where you have been identified as a contact person for an organisation, such as an NHS Trust or training budget-holder (if we obtain your contact details in this way, we will only use them to contact you in your capacity as a representative of that organisation);
- To analyse and improve the content and operation of our website;
- To analyse and improve our internal business processes;
- To analyse the personal information we collect about you and use publicly available information to better understand your interests, preferences and level of potential donations so that we can contact you in the most appropriate way and to ensure that we do not send you unwanted communications;
- To tailor advertising that is presented to you on the Internet according to your interests, preferences and other characteristics (as described below);
- To direct advertisements and other communications to other people who may have similar interests or other characteristics to yours (as described below);
- To assess your personal information for the purposes of credit risk reduction or fraud prevention; and
- Where we are required by law to disclose or otherwise use your information.
- In particular, we may contact you for marketing purposes by email if you have agreed to be contacted in this manner. We provide information about how you can change your marketing preferences below.
- In extreme situations, we might share your personal details with the emergency services if we believe it is in your ‘vital interests’ to do so. For example, if someone is taken ill during one of our meetings or events. We may also share your personal information if required to do so by a court order or other legal requirement. We will use all reasonable endeavours to notify you before we do so, unless we are legally restricted from doing so.
HOW WILL WE COMBINE AND ANALYSE THE INFORMATION WE COLLECT ABOUT YOU?
We are committed to communicating with you using an approach that is right for you. This means that we carefully manage the communications we send you to ensure that we are contacting you in the most appropriate way and that we are not sending you unwanted communications. In order to do this, we may combine the information that we collect about you and analyse what we know about your interests, preferences and level of potential engagement or donation. We may also use statistical analysis to analyse this data and understand the likelihood that you will be interested in or responsive to a campaign or message. We may use third party service providers to assist us in this process.
Where we have identified that you have the capacity or affinity to support Birthrights at a higher level, we may collect additional information about you (see ‘What information do we collect?’) and combine and analyse that information in a profile of you that will assist us in engaging with you in a more personalised way.
You can opt out of your data being combined and analysed for marketing purposes by contacting our Data Protection Officer as described below. However, this may mean that you stop receiving marketing communications from us more generally.
In accordance with our legal and regulatory obligations and our internal policies and procedures, we may also use personal information to carry out due diligence on potential or actual donors. If you opt out of analysis of your data for due diligence purposes, we may not be able to accept donations from you.
HOW WILL WE DISCLOSE THE INFORMATION WE HAVE COLLECTED TO OUTSIDE PARTIES?
Birthrights may provide your information to our service providers. Subject to your communication preferences and our internal policies and procedures, this would include providing your information to third parties that work with us to deliver on our charitable purposes, and other entities that act as fundraisers for Birthrights, or provide Birthrights with marketing information and services.
We enter into contracts with all of these service providers that require them to comply with data protection laws and to ensure that they have appropriate controls in place to protect the security of your information.
We will never sell your details and, except as indicated below, will only share your details with third parties (who are not service providers working at our direction) if you ask us to. We will not make cold telephone calls to members of the general public and, therefore, will not purchase your data in order to do so.
We may disclose your personal information if we are requested or required to do so by a regulator or law enforcement or in order to enforce or apply our rights (including in relation to our website or other applicable terms and conditions) or to protect Birthrights, for example in cases of suspected fraud or defamation, or in order to comply with any other applicable legal obligation.
HOW DO WE PROTECT YOUR PERSONAL INFORMATION?
We take appropriate physical, electronic and managerial measures to ensure that we keep your information secure, accurate and up to date, and that we only keep it as long as is reasonable and necessary.
Although we use appropriate security measures once we have received your personal information, the transmission of information over the internet is never completely secure. We do our best to protect personal information, but we cannot guarantee the security of information transmitted to our website, so any transmission is at the user’s own risk. However, any payment card details (such as credit or debit cards) processed securely by our payment processing providers according to the Payment Card Industry Security Standards.
HOW CAN YOU CHANGE YOUR MARKETING PREFERENCES OR UPDATE THE INFORMATION WE HOLD ABOUT YOU?
Birthrights will only use your personal data for marketing purposes as outlined above, if you have opted in to receive these communications via our website or via a paper evaluation or sign-up sheet.
You can also change any of your marketing preferences at any time (including telling us that you don’t want us to contact you for marketing purposes) by:
Indicating that you do not wish to receive our marketing emails by clicking the ‘unsubscribe’ link in at the end of our marketing emails;
Contacting us by email at email@example.com or by phone on 0300 400 3400;
If you have indicated that you do not wish to be contacted for marketing purposes, we will maintain your details on a suppression list to help ensure that we do not continue to contact you for marketing purposes. However, we may still need to contact you for administrative purposes, including (but not limited to):
- Processing a donation you have made and any related Gift Aid;
- Providing you with the information you need in order to participate in an activity or event for which you have registered; and
- Explaining and apologising where we have made a mistake.
Similarly, if your contact details have changed or you think any information we have about you is incorrect or incomplete, you can always update or correct the information we hold about you by contacting us.
WHAT OTHER DATA PROTECTION RIGHTS DO YOU HAVE?
You can make a complaint or raise a concern about how we process your personal data by contacting our Data Protection Officer. In some circumstances, you have the right to object to our processing of your personal data or to stop us from continuing to make active use of personal data that we retain in our records.
If you are not happy with how we have handled your complaint, you can contact the Office of the Information Commissioner, which oversees the protection of personal data in the UK, or the Fundraising Regulator, which is responsible for overseeing fundraising activities carried out by charities in the UK.
Alternatively, you may choose to contact either the Information Commissioner or the Fundraising Regulator directly about your complaint, regardless of whether you have raised it with us first.
You also are entitled to request a copy of the personal information relating to you which is kept on file by Birthrights (a Subject Access Request or SAR) by contacting our Data Protection Officer.
WHY ARE WE ALLOWED TO PROCESS YOUR PERSONAL INFORMATION?
- the Data Protection Act 1998
- the Privacy and Electronic Communications (EC Directive) Regulations 2003
- General Data Protection Regulation (EU) 2016/679, which will come into force in the UK in May 2018 and replace the Data Protection Act 1998.
Generally, our processing of your personal information as described in this policy is allowed by these laws because we have a legitimate need to carry out the processing for the purposes described above. Some processing may also be necessary so that we can perform a contract with you or because it is required by law. We only use your information to send you marketing communications by email with your consent.
JOB AND VOLUNTEER APPLICANTS AND CURRENT AND FORMER EMPLOYEES
If you apply to work or volunteer at Birthrights, we will only use the information you give us to process your application and to monitor recruitment statistics. If we want to disclose information to someone outside the Birthrights – for example, if we need a reference, plan to use an external supplier to run background checks or need to get a ‘disclosure’ from the Disclosure and Barring Service (DBS) – we will make sure we tell you beforehand, unless we are required to disclose this information by law. If you apply for a job or volunteering opportunity we may also collect information so we can assess your suitability for the role.
If you are unsuccessful in your job or volunteering application, we will hold your personal information for 6 months after we’ve finished recruiting the post you applied for. After this date we will destroy or delete your information.
If you begin employment with us, we will keep any personal data relating to your employment secure, and will only use it for matters that apply directly to your employment.
Once you stop working for us, we will keep this file for 6 months. You can contact us to find out more about this.
YOUR CREDIT OR DEBIT CARD INFORMATION
If you use your credit or debit card to donate to us, buy something or make a booking online, we will use the services of a third party payment processing partner (such as Virgin Giving) as part of the payment process. We do this in accordance with the Payment Card Industry Security Standard and don’t store the details on our website or databases.
We cannot be held responsible for the privacy of data collected by websites not owned or managed by Birthrights, including those linked through our website.
Emails aren’t always secure, and they may be intercepted or changed after they’ve been sent. Birthrights doesn’t accept liability if this happens. The contents of emails reflect their author’s views and not necessarily those of Birthrights.
Please do not send Birthrights any financial data through email.
The information in emails is confidential, so if you’ve received one by mistake, please delete it without copying, using, or telling anyone about its contents.
Birthrights’s data controllers will notify data breaches to the DPA without undue delay and within 72 hours of awareness.
Data controllers will communicate data breaches to the data subject without undue delay, where the breach is likely to result in a high risk to the rights and freedoms of individuals. Any data processor we may use will report personal data breaches to Birthrights’s data controllers without undue delay after becoming aware.
PRIVACY POLICIES OF VENDORS WE USE
We gather and process data with the help of a number of different software vendors. Here are links to each of their Data Protection/Privacy Policies: