1. INTRODUCTION
This privacy notice is directed at people living with arthritis, their families, carers, researchers, healthcare professionals, friends, parents, fundraisers, donors, supporters, volunteers, involved people, staff, trustees, website visitors, authorities and any interested parties that have their personal data processed by Versus Arthritis (VA), a charity registered in England and Wales (number 207711) and in Scotland (SC041156), and a company incorporated in England and Wales (number 490500).
Personal data relates to a living person that can be identified either directly or indirectly from the data. Processing personal data refers to any action we take with someone’s personal data that includes but is not limited to, collecting, recording, storing, altering, retrieving, using, disclosing, restricting, erasing, or destroying personal data.
At VA we are committed to protecting your personal data and being transparent about what we do with it. We will use your personal data in accordance with data protection law and the Information Commissioner’s Office (ICO) best practice guidelines – this is our supervisory authority in the UK that regulates organisations across the UK using personal data.
This Privacy Notice includes the following key information:
- Why we process your data under the law
- Your Rights
- How we keep your data safe
- A child’s personal data
- How we collect and use your personal data
- How long we keep your personal data
- Disclosure to third parties
- Our online shop
- Our website
- Our contact information
- Changes to our Privacy Notice
2. WHY WE PROCESS YOUR DATA UNDER THE LAW
VA processes personal data in accordance with the law. The Data Protection Act 2018 requires VA to rely on at least 1 lawful basis out of a total of 6 to ensure we have valid grounds for processing any personal data.
VA commonly uses at least 1 of the following 5 lawful bases to process personal data: legitimate interest, consent, legal requirement, performance of a contract and vital interest.
2.1 Legitimate interest
We take reasonable steps to ensure we are using this legal basis in the correct way by conducting 3 tests: a purpose test (assessing whether there is a legitimate interest), a necessity test (assessing whether the processing is needed) and a balancing test (assessing the kind of personal data). The main questions we ask before relying on this legal basis are as follows:
- What benefit will there be from processing the personal data?
- Will the processing help us achieve the purpose for collecting the personal data?
- What kind of personal data is it, e.g., sensitive, criminal, confidential or children’s data?
- Will the processing cause harm or risk to the freedom of the person?
- Is it reasonable for the person to expect the data to be used in this way?
For some supporters, we will send fundraising material by post and telephone, because we want to provide campaigning, promotional, and/or fundraising material to supporters. We reach out to families, carers, researchers, healthcare professionals, friends, parents, fundraisers and volunteers to help raise funds, so that we are united in our ambition to ensure that one day, no one will have to live with the pain, fatigue and isolation caused by arthritis.
We will never rely on legitimate interest to send communications where we are already relying on consent to do so.
You can opt out at any time if you no longer want to receive communications from us, using the information provided in our postal communications or by registering with the fundraising preference service. Alternatively, you can opt out by contacting supporter care, either by calling 0300 7900444 or emailing supportercare@versusarthritis.org.
2.2 Consent
We provide people free choice to give us their personal data. When asking for consent we ensure we are clear and specific, and consent is easy to withdraw at any time.
For example, VA arranges health activity programmes for people with arthritis. We send a form to those interested in the programme, asking for consent to use their personal information so they can attend the programme. The form clearly states the purpose for consent, a box they will need to tick to confirm they agree to their personal data being used in the ways outlined, and the ability to opt out at any time, as well as a link to our privacy notice for further information.
2.3 Legal requirement
In some situations, VA must process personal data as it is essential to fulfil a legal obligation.
For example, VA may need to process personal data to comply with its legal obligation to HM Revenue and Customs (HMRC), as detailed on the HMRC website.
2.4 Performance of a contract
VA may need to process personal data because it is needed to enter a contract. We will only do this if there is a clear connection between the personal data and the contract.
For example, if you order an item via our online shop, we collect your personal data to process your order and send the item to the correct address.
2.5 Vital interest
This is a legal basis that we may rely on in rare situations, to save someone’s life.
For example, we may need to disclose personal data for emergencies and medical care.
The 6th and final lawful basis is public interest, which is not a lawful basis that VA relies on to use personal data.
3. YOUR RIGHTS
Below is a summary of all your rights under data protection law. We always consider and respect your rights when we process your personal data.
- Your right of access – You can ask us for access to the personal information we hold about you.
- Your right to rectification – You can ask us to rectify your personal information if you believe it is no longer accurate.
- Your right to erasure – You can ask us to delete your personal data in some situations.
- Your right to restriction of processing – You can ask us to restrict the processing of your personal data in some situations.
- Your right to object to processing – You can object to us processing your personal information in some situations.
- Your right to data portability – You can ask us to transfer the personal information you provided to us, to another organisation, or to you in some situations.
4. HOW WE KEEP YOUR DATA SAFE
We use appropriate technical controls to protect your personal details. Below are key examples of how we keep your personal data safe at VA.
- Our online forms are always encrypted, and our networks are protected and routinely monitored.
- We conduct regular security audits and reporting, e.g., we do penetration tests on our networks and applications.
- We comply with Cyber Essentials Plus security accreditation and best practices set by the National Cyber Security Centre, for all systems and suppliers.
- We regularly engage in independent testing of our digital and data security for weaknesses; aligning with Cyber Essentials Plus requirements, to bolster our security measures and guarantee adherence to high cybersecurity standards.
- Our contracted suppliers manage card transactions securely in line with the Payment Card Industry Data Security Standard (PCI DSS). All credit and debit card details are securely destroyed once any payment or donation is processed.
- We ensure General Data Protection Regulation training is mandatory for all our staff.
- We sometimes use external companies to collect or process personal data on our behalf. We do comprehensive checks on these companies before we work with them and put a contract in place that sets out our expectations and requirements, especially regarding how they manage the personal data they have collected or have access to.
- Where personal data is no longer required (either because a request is sent for the personal data to be deleted or the personal data retention period has expired in accordance with our data retention policy), we will ensure it is disposed of in a secure manner.
- For changes to existing data collection or processing new data, which may result in a high risk to the rights and freedoms of the data subject, we undertake a Data Protection Impact Assessment (DPIA), to ensure changes to existing or new data collection is compliant with ICO guidelines.
5. A CHILD'S DATA
Any personal data that VA collects from or about a child will be managed in a way appropriate to the age of the child. Data protection law requires a child to be 13 years or older in the UK, to legally provide consent to their personal data being processed. VA verifies a child’s age before processing their personal data and/or seeks parental/guardian consent on the child’s behalf if needed.
We are required to share information with law enforcement authorities should they ask, to effectively safeguard children from harm and promote their wellbeing. As such, we may keep a child’s personal data until they are 18 years old. Under data protection law, we rely on the following legal bases to justify why we process and keep a young person’s and/or family’s personal data:
- Legal requirement: the law states that we are bound to report illegal activity.
- Legitimate interest: we must disclose the personal data of a child to law enforcement authorities in the event law enforcement authorities request the data, as our interest to prevent any further criminal act and cooperate with law enforcement outweighs any interests of the young person/family to keep their information hidden.
- Vital interest: we may need to share personal data to save a young person’s life. This is only applicable in very limited circumstances where a young person’s life is at risk.
6. HOW WE COLLECT AND USE YOUR PERSONAL DATA
Being open and transparent about how and why we process personal data is central to our values as a charity. Below is a high-level summary of all the business areas within VA where personal data is collected; what personal data is collected; how it is collected; why; and the lawful bases we rely on to collect it.
Where special category data is collected, we undertake a DPIA for new processing.
6.1 When we process your donations, card payments or invoices, or deal with your enquiries and complaints
Area in VA: Finance
Personal data collected:
- Name
- Email (Optional)
- Telephone (Optional)
- Financial Information(Bank and card details)
- Home Address
How is the data collected?
- Forms (Supplier/expense claim documentation)
- Telephone
Why is the data collected?
- Card information is needed to process donations. Note: card payments are processed and managed by our fulfilment house, Allied Publishing Services (APS)
- Invoices are processed to pay third parties i.e., insurance companies, suppliers etc.
- Bank details are stored for individuals on the Finance System, to enable payment of out-of-pocket expenses.
Lawful basis relied on:
- Consent
- Legal Requirement
- Performance of a contract
Area in VA: Supporter Care
Personal data collected:
- Name
- Home Address
- Telephone
- Bank account information for direct debit/ standing order supporters
How is the data collected?
- Forms
- Contracts with third parties (E.g. APS)
- Telephone
- Post
Why is the data collected?
- Personal data is shared with third parties to process data on our behalf e.g., APS.
- Data is collected from supporters for donations, to generate income to fund VA's services, research and provide support for the benefit of people with arthritis.
- To answer supporters' questions, address complaints, provide information, cross promote products and process any requests received from supporters.
Lawful Basis relied on:
- Consent
- Legal Requirement
- Performance of a contract
- Legitimate interest (post and telephone only)
- Vital interest
6.2 When we carry out duties required under law and/or regulation
Area in VA: Governance Assurance and Legal
Personal data collected:
- Name
- Home address
- Telephone
- Date of birth
- Passport number
- Country of residence
- Nationality
How is the data collected?
- Forms
- Legal documents/consent
- Insurance policy
Why is the data collected?
- To send information to VA’s board of trustees and/or Senior Leadership Team
- Statutory requirements (i.e., to meet the terms of our Anti-Bribery Policy, or Conflict of Interest Policy).
- Serious incident investigations.
- Legal investigations.
Lawful basis relied on:
- Consent
- Legal requirement
Area in VA: Legacy
Personal data collected:
- Name
- Home address
- Telephone
How is the data collected?
- Letters
- Telephone
Why is the data collected?
- Data is collected so the legacy can be administered.
- To appoint third-party specialists to take receipt of the legacy.
Lawful basis relied upon:
- Consent
- Legitimate interest
- Performance of a contract
Area of VA: Facilities
Personal data collected:
- Name
- Telephone
- Home address
How is the data collected?
- Landlord and tenant contracts
- Supplier contracts (I.e., cleaners)
- Health and safety accident log
Why is the data collected?
- To effectively manage building arrangements (landlord and tenant).
- To destroy confidential waste documents securely.
- To maintain the Health & Safety log as per the Health and Safety Executive guidelines.
Lawful basis relied on:
- Consent
- Legal requirement
- Performance of a contract
Area of VA: Awards and procurement
Personal data collected:
- Name
- Address
- Telephone
- Sex
- Gender
- Age
- Ethnicity
- Disability
- Sexual orientation
- Religion
- Marital status
How is the data collected?
- Forms
- Supplier contracts
Why is the data collected?
- Awards team collects personal data to ensure there is effective governance and reduced risk when spending the charity’s money.
- To promote equity and diversity in our applicant group
- Procurement team processes personal data to support in the tender and procurement process, contract management, due diligence and value for money assessments.
Lawful basis relied on:
- Consent
- Legitimate interest
- Performance of a contract
6.3 When we process data in surveys and/or online forms.
Area of VA: Information and communications technology
Data collected:
- Name
- Home address
- Telephone
How is the data collected?
- Forms
Why is the data collected?
- Website gathered information needed for various reasons.
- Personal data is needed for destruction of laptops when an employee leaves VA.
- Home address needed to send equipment to homes (shared with couriers) for flexible working.
Lawful basis relied on:
- Consent
- Legitimate interest
Area of VA: Improvement and impact
Data collected:
- Age
- Gender
- Location (first half of the postcode)
- Ethnicity
- Health data
How is the data collected?
- Survey data (external facing)
- Survey data (internal facing)
- Smart survey
Why the data is collected?
- To assess the groups of individuals that VA impacts and how VA can improve its services based on the information collected.
Lawful basis relied on:
- Consent
6.5 When we process data to build relationships with individuals, groups and decision makers, that help us generate income and influence decisions to support people with arthritis.
Area of VA: Strategic Partnerships
Data Collected:
- Name
- Home address
- Telephone
- Financial information
- Family details
- Work details
How is the data collected?
- Forms
- Desk Research for due diligence
- Public data sources such as 192.com
- Payroll giving agencies
Why is the data collected?
- Data is collected to build relationships with high-net-worth individuals; mid value donors and payroll givers
- Personalised journeys are developed, which increase loyalty through engagement, donations and relationship building.
- To develop giving programmes
- To steward existing major donors
- To qualify whether to accept or reject a donation
- For research.
Lawful basis relied on:
- Consent
- Legitimate interest
Area of VA: Mass engagement and fundraising
Data collected:
- Name
- Ethnicity
- Title
- Age
- Telephone
- Postal address
How the data is collected?
- Forms
- Surveys
- Letters
- Emails
- Telephone
Why the data is collected?
- Data is collected to build relationships with individuals
- To ensure we create a personalised supporter journey to increase engagement and loyalty, which ultimately drives income and ensures charitable sustainability.
Lawful basis relied on:
- Consent
- Legitimate interest
Area of VA: Policy, Public Affairs and Campaigns
Data Collected:
- Name
- Telephone
- Postal address
- Health data
- Age
How the data is collected?
- Forms
- Survey
- Via third parties
Why the data is collected?
- We collect data to build relationships with individuals.
- To ensure we create a personalised supporter journey to increase engagement and loyalty, which helps drive action and policy/political change.
- To influence decision makers across the UK.
Lawful basis relied on:
- Consent
- Legitimate interest
7. HOW LONG WE KEEP YOUR PERSONAL DATA
Our standard data retention policy is to keep your personal information for up to 12 years. Data protection law requires us to keep personal data for no longer than we need it so the exact length of time we keep personal data depends on the nature of it.
Our retention schedule for keeping personal data may depend on legal requirements and in other cases it may depend on what we deem necessary to keep in accordance with our best practice guidelines.
8.DISCLOSURE TO THIRD PARTIES
We will never sell your personal information. However, to ensure we provide you with the best service, we make use of external expertise where appropriate. This involves us sharing personal data with the following service providers:
- Organisations who work on our behalf.
- Organisations we partner with to improve the services we deliver.
- Our processors who act solely on our instructions e.g., we use a processor to process donations on behalf of VA.
- Our fulfilment companies that fulfil an order you have placed with us.
We may also occasionally be required to share your personal data with law enforcement, public authorities, regulators and/or our professional advisers. We will only do this where we have a clear lawful basis for doing so.
There are some instances where we are obligated to disclose personal data, for example, under safeguarding law. We have a safeguarding policy about this and the safeguarding page on our website also has further details, here: https://www.versusarthritis.org/about-us/our-policies/safeguarding-commitment/
9. OUR WEBSITE
VA’s website uses cookies (and similar technologies such as tags) to distinguish you from other users of our website, to provide you with a good experience when you are browsing, and to target our advertising so we can improve our site.
When you first visit our website, we will ask for consent to set any cookies (and to process any personal data collected by these cookies) and you will be able to set your preferences at this stage. Where cookies are strictly necessary, we consider that we have a legitimate interest in processing the personal data they collect, as having a working website is vital to our work.
You can withdraw your consent by clearing cookies from the cache in your device and rejecting them next time you visit our website.
For more information about our use of cookies and tags, please see our Cookie Policy on our website.
10. OUR ONLINE SHOP
When you order via our online shop and use a debit or credit card, the transaction will be processed securely in line with PCI DSS standards, by either us or our contracted suppliers. All credit and debit card details are securely destroyed once the payment or donation has been processed.
11. OUR CONTACT INFORMATION
If you have any queries about your personal data, or you wish to exercise your rights under data protection law, please email our Data Protection Officer at: dpo@versusarthritis.org.
If you have any general queries, our postal address and general contact information is on our website here: Contact us | Contact us by phone, email or post. (versusarthritis.org)
If you have any queries about arthritis, or you just need someone to listen to you, you can chat to our advisors on our helpline number here: 0800 5200 520.
If you have a complaint to make, please visit the Complaints page on our website here: Making a complaint | Versus Arthritis.
12. CHANGES TO OUR PRIVACY NOTICE
We will regularly review this privacy notice. Any significant changes will be clearly communicated on our website on a change log, or we may directly contact you about the changes if we already hold your data and if the changes affect you directly.