Jo’s Cervical Cancer Trust Privacy Policy

At Jo’s Cervical Cancer Trust we are committed to protecting any personal information that we collect about you and being transparent about what we do with it. This policy covers all the methods we use to collect information and covers what we collect, why we collect it and your rights regarding the information we hold for you.

We have written this policy in accordance with the Data Protection Act 1998, the General Data Protection Regulation and any subsequent policies.

If you have any queries then please contact the Data team at Jo’s Cervical Cancer Trust, 10-18 Union St, London SE1 1SZ, by email [email protected] or call us on 020 3832 8000.

By using our website, forum, social media or providing your personal data to us you are consenting to our collection and use of the information as set out below.

• What is personal information?
  • Personal information
  • Special category
• What information do we collect and why?
• Links to third party websites
• How do we use this information?
• Who do we share your information with?
• Our support services
• Our Forum
• Employees, volunteers and job applicants
• How do we store and protect your information?
• Your rights
  • Overview
  • Right to be informed
  • Right to access
  • Right to correct personal information
  • Data Portability
  • Right of erasure
  • Right to restriction of processing
  • Right to withdraw consent
  • Right to object to processing
• Lawful Basis for Processing

What is personal information?

Personal information

Personal information is any information that can be used to identify you. For example, it can include information such as your name, date of birth, email address, postal address, telephone number, IP address, credit/debit card details, CCTV footage, and information relating to your health and personal circumstances.

Special Category data

Data protection law recognises that certain categories of personal information are more sensitive. These are known as ‘special category data’ and include information relating to health, race, ethnic origin, political opinions, religious beliefs, trade union membership, genetics, biometrics (where used for ID purposes), sex life and sexual orientation.

Links to third party websites

Our website contains links to other websites that we think may be of interest to our website users. We cannot be held responsible for the privacy policies for these websites.

What information do we collect and why?

We will only collect the information that we need, this may include information to help us operate and improve our services and information.

We collect information when you give it to us directly, this includes when you use any or all of our support services, communicate with us to enquire about our work or fill out a form on our website e.g. to register for an event, tell your story, register for our newsletter, use our shop or make a donation. We also collect information from people we meet at events.

We may also receive information about you from third parties, for example through fundraising sites such as Just Giving, event organisers including the London Marathon or Dream Challenges and through conferences or events you have attended where you have given your consent for your details to be passed on. We only receive this information with your consent, so check their Privacy Policy to understand how they will look after your data

We sometimes get information about you from your family and friends, for example if they register you for an event

Before contacting or meeting an individual or organisation we may seek information from publically available sources, e.g. the internet or companies house, so we can make the best use of their time. We may also seek information from publically available sources to demonstrate due diligence on accepting donations as set out by the Charity Commission, Fundraising Regulator and to ensure we are in line with our donation acceptance policy.

Information we collect as you use our online Forum. Find out more in the ‘Our Forum’ section.

Depending on your settings or the privacy policies for social media platforms including Facebook or Twitter, you might give us permission to access information from those accounts or services.

How do we use this information?

The type and quantity of information that we ask for and how we use it depends on why you are providing it. We will use your personal information to:

Provide you with the services, products or information that you have asked for.

Keep a record of our contact with you for administrative purposes or legal purposes, let you know about changes to our policies and if we need to respond to complaints or other issues.

Understand how we are performing and how we can improve our services to better support those who need us.

Process transactions, donations and claim Gift Aid.

Send direct marketing, including communications about our campaigns, fundraising and volunteering opportunities, including opportunities which involve us working in partnership with others. This is only after you have told us that you would like to receive this information and you can change your mind at any time.

Be able to carry out your wishes in relation to a gift in your will

If you become a media volunteer and share your story with us, we will never share identifiable details without your permission, but sometimes may use some of your story to secure opportunities.

We will only collect and use your personal information where we have a legal basis to do so and will always respect your rights.

Where we use your information, it may be because you have consented to us doing so or because we consider we have a legitimate interest to do so. Where we do rely on a legitimate interest to use your information, we promise never to do it in an intrusive way or to cause distress, and to always respect your rights. Other reasons may include using information because we have a legal obligation to do so or because we have to fulfil contractual obligations.

Who do we share your information with?

We will not sell your details, however may occasionally share your information with carefully chosen third parties who our working on our behalf, including mailing houses who distribute our information materials.

If you set up a direct debit or use your credit or debit card to donate to us or to order from our shop, we pass your details securely to our processing partners to enable payments to be made. We do this in accordance with industry standards and do not store your card or bank details on our website. Our partners will only act under our instruction and are subject to pre-contract scrutiny and contractual obligations containing strict data protection clauses.

We may also need to share your information if required to do so by law.

Our support services

In order for us to run our services, including our Forum, Helpline, 1:1, email, Ask The Expert, we collect personal and sensitive, special category data. It is also the case when you sign up to our support events, either online or face to face. This information is managed separately to other data provided to the charity, stored confidentially and only accessed by trained staff. We collect this information to enable us to monitor these services, improve them, contact you about forthcoming internal events that may be of interest to you and provide additional support to those who request it.

Our Ask the Expert service is strictly confidential and identifiable details of service users are not passed to our medical panel volunteers. The details of service users and their queries are kept separately on our secure database with only members of the services team and main database administrator having access. Details of our Call back service users and 1:1 service users are also kept on our database in order to provide increased support at the request of our service users. As with all of our services, these details are kept strictly confidential.

Our Forum

We collect information from you when you register our Forum, such as your name and email address; this is because an account is required to post. However you may visit the Forum and read posts without signing up. Your email address will be verified by an email containing a unique link. If that link is visited, we know that you control the email address.

Email notifications about new posts or replies can be managed or turned off within the preferences section of your Forum account.

When registered and posting, we record the IP address that the post originated from. This is partly to keep the Forum safe and reduce spam posts. We also may retain server logs which include the IP address of every request to our server.

We will make a good faith effort to:

Retain server logs containing the IP address of all requests to this server no more than 90 days.

Our Forum is moderated, however the information you provide is publically available so please avoid sharing identifiable information. You can read more about this in our Forum guidelines. We ask you to provide your email address when you register and may contact you about administrative issues and changes to the forum.

Employees, volunteers and job applicants

If you apply to work or volunteer at Jo’s Cervical Cancer Trust, we will only use the information you give us to process your application and to monitor recruitment statistics. If we want to disclose information to someone outside the charity – for example, if we need a reference, or need to get a ‘disclosure’ from the Criminal Records Bureau – we will make sure we tell you beforehand, unless we are required to disclose this information by law.

If you are unsuccessful in your job application, we will hold your personal information for six months after we’ve finished recruiting the post you applied for. After this date we will destroy or delete your information.

When you start working for us, we will put together a file about your employment. We keep the information in this file secure, and will only use it for matters that apply directly to your employment. Please refer to the Employee Privacy Policy for further details.

Once you stop working for us, we will keep this file according to our document retention policy.

How do we store and protect your information?

We are committed to ensuring all personal data we collect is stored securely and have security measures in place to protect the data we collect and store. This includes using secure server software (SSL) to encrypt all financial details collected and ensuring only appropriately trained, authorised staff can access personal or sensitive data. We take every measure to ensure the information you give us is kept secure, accurate and up to date and that you are not contacted for any other reason than specified. We will only keep your information for as long as we need it and will always dispose of it securely when we do.

Some of our suppliers run their operations outside the European Economic Area (EEA). Although they may not be subject to the same data protection laws as companies based in the UK, we take steps to make sure they provide an adequate level of protection in accordance with UK data protection law. By submitting your personal information to us you agree to this transfer, storing or processing at a location outside the EEA.

While we will do our best to ensure your data is kept secure, we cannot accept any responsibility for any loss, disruption or damage to your data or your computer system while you are using our website.

Your Rights

Overview

You have a number of rights in relation to your personal information. You should note that these rights are not absolute, so we do not always need to comply with your requests, but we will make sure we explain our reasons to you if this is the case.

To exercise any of your rights, please contact [email protected].

We may ask you to provide additional information to prove your identity, for example, to provide a copy of an identification document, before we allow you to exercise a right. For your security, we consider that we have a legitimate interest in ensuring that we only allow the correct individuals to exercise the rights to which they are entitled. Asking for proof of ID aims to prevent fraudsters from accessing the information we hold about you.

We will respond to any such request within one month. If we refuse a request, we will explain our reasons and let you know how you can challenge our decision.

If you are unhappy with how we’ve dealt with your request or used your data please tell us so we can sort it out. However, if you are still unhappy you have the right to complain to the Information Commissioner’s Office (ICO). The ICO can investigate your claim and take action against anyone who has misused personal information. Please visit https://ico.org.uk/concerns or call the ICO helpline on 0303 123 1113 for further information

Right to be informed

You have the right to be informed about the collection and use of your personal information, and we are also required to ensure that we are transparent about how we use your personal information.

This Privacy Policy explains how we process your personal information.

Right to Access

You have the right to ask us to confirm whether we process any of your personal information, and to provide access to any personal information we do hold about you.

Right to correct your personal information

We aim to ensure that all personal information is correct. If any of the information that you have provided us with changes, for example if you change your email address, please do contact us so that we can keep our records up to date. We will update your records as soon as possible and in any event within one month.

You have a right to require us to correct any information about you that is inaccurate, and you may also ask us to remove information which is inaccurate or to complete information which is incomplete. We may seek to verify the accuracy of the personal information before rectifying it, and in some circumstances we will need to keep a copy of the inaccurate data (for example, if we need to keep an audit trail).

If we do update inaccurate information, we will inform relevant third parties with whom we have shared your data so they may update their own records.

Data portability

In some situations, you have a right to obtain your personal information from us in a structured, commonly used and machine-readable format and reuse it for your own purposes, perhaps for another service, without hindering the usability of the data. This includes the right to require us, where technically feasible, to pass on information we obtained from you to another data controller.

This right applies when we are relying on your consent or the fact that the processing is necessary for the performance of a contract to which you are party as the lawful ground for processing, and we are carrying out processing by automated means.

Right of erasure (right to be forgotten)

You have the right to require us to erase your personal information in certain circumstances, for example:

where it is no longer necessary for us to continue holding or processing your personal information for a particular purpose;

if you withdraw your consent to certain processing (in relation to which we rely upon your consent as a lawful basis); or

if you have objected to processing in relation to which we rely upon our legitimate interests, and we have no overriding interest or that personal information is processed for direct marketing purposes (and this includes profiling to the extent that it is related to such direct marketing).

This right is not absolute: for example, we do not have to delete your data if we need to continue processing this information to comply with our legal obligations, or for the establishment, exercise or defence of legal claims. We may also need to keep some information about you in order to, for example, comply with an instruction not to contact you again.

Right to restriction of processing

You have a right to ask us to restrict our processing of your information if:

you contest its accuracy and we need to verify whether it is accurate;

the processing is unlawful and you ask us to restrict use of it instead of erasing it;

we no longer need the information for processing, but you need it to establish or defend legal claims;

you have objected to processing of your information being necessary for the performance of a task carried out in the public interest, or for the purposes of our legitimate interests. The restriction would apply while we carry out a balancing act between your rights and our legitimate interests. If you exercise your right to restrict processing, we would still need to process your information for exercising or defending legal claims, protecting the rights of another person or for public interest reasons.

This is an alternative right to the right to be forgotten and it is not an absolute right.

Right to withdraw consent

If we rely on consent as the legal basis for processing (you can withdraw your consent to that purpose of processing, and we will stop that particular processing.

However, we may still continue to use the same data for other purposes: for example, you withdraw your consent to receipt of direct electronic marketing from us, and also make a complaint, we may rely on our legitimate interests to process your personal information in order to investigate that complaint.

Right to Object to Processing

You have the right to object to: processing that is based on legitimate interests or performance of a task in the public interest (including profiling); direct marketing (including profiling for the purposes of direct marketing) and processing for the purposes of scientific, statistical or historical research.

We must comply with any request to stop processing for the purposes of direct marketing. The right to object is not absolute in relation to processing for legitimate interests and research purposes.

If you would prefer us not to profile you for the purposes of targeting or tailoring our fundraising efforts, please contact us.

Legal Basis for Processing

Personal Information

We collect and process your personal information for various business purposes, in accordance with applicable laws.

UK data protection laws require us to have a specific lawful basis for each purpose for which we process your personal information. We explain these purposes and the corresponding lawful basis in the section on how do we use this information.

• We generally process your personal information on one of the following basis:
• the processing is necessary for our legitimate interests (as identified in the section on how do we use your information), except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal information;
• we have obtained your consent to use your personal data for the stated purpose;
• the processing is necessary for compliance with legal obligation. to which we are subject; or
• the processing is necessary for performance of a contract to which you are a party or in order to take steps at your request prior to entering into such a contract.

We may also rely on other basis (for example, where the processing is necessary in the performance of a task carried out in the public interest, or where the processing is necessary in order to protect your vital interests or those of another person) on an exceptional basis, if none of the above conditions apply.

Special Category data

We collect special category data (usually health data) mainly so that we can give you advice, to ascertain what services are relevant to you or to provide other services and support to you. We may also collect this information in other situations, for example, when we are carrying out research we may collect this information if you have publicly posted online via social media or other methods about your cancer treatment.

In order to process any special category data, we need to ensure that we have a particular reason to do so, in addition to the general lawful bases set out above. The reason needs to relate to one of the additional lawful bases for processing set out under UK data protection laws.

We generally process your special category data only:

• with your explicit consent; or
• where you have ‘manifestly made public’ this information.

However, we may also rely on other bases where neither of the above apply, including but not limited to where the processing is needed for legal claims, is necessary for substantial public interests (as set out in UK data protection law), is necessary for reasons of public interest in the area of public health, or exceptionally, where the processing is needed to protect your life or the life of another.

Changes to this policy

We may change this privacy notice from time to time. If we make any significant changes to this notice and the way we hold personal data, we will make this clear on the Jo’s Cervical Cancer Trust website or by contacting you directly.

Questions?

If you have any questions about this policy or how we use your data, please contact the Corporate Services team on 0203 832 8000 by email [email protected]. For further information please see the Information Commissioner’s Guidance at https://ico.org.uk.