By “information” we mean all of the personal information about you that we collect, use, share and store.
1. OUR BELIEFS REGARDING USER PRIVACY AND DATA PROTECTION
We are committed to maintaining the trust and confidence of our visitors to our website by protecting and respecting your privacy, following all legal requirements to do so. We recognise user privacy and data protection as human rights and we have a duty of care to those whose data we handle. We aim to be clear when we collect your information about what we will do with it.
We understand that data should only be collected and processed when absolutely necessary. As a charitable organisation we have relationships with lots of fundraisers, volunteers, supporters and researchers, so we use personal information on a day-to-day basis in order to operate. Our use of personal information allows us to make better decisions, fundraise more efficiently and, ultimately, helps us to reach our goals. We have made improvements to this policy to make it more understandable to our website users.
2. RELEVANT LEGISLATION
Along with our internal computer systems, this website is designed to comply with the following national and international legislation with regards to data protection and user privacy:
• UK Data Protection Act 1988 (DPA)
• EU Data Protection Directive 1995 (DPD)
• EU General Data Protection Regulation 2018 (GDPR)
Data Protection law recognises that certain categories of personal information are more sensitive. This is known as sensitive personal data and covers health information, race, religious beliefs and political opinions. We do not usually collect ‘sensitive personal data’ about our supporters unless there is a clear reason for doing so. We may collect sensitive personal data if you make the information public or if you tell us about your experiences relating to PTSD; however we will always make it clear to you when we collect this information from you, what sensitive personal data we are collecting and why (unless already covered in this document).
3. HOW WE COLLECT YOUR INFORMATION
We’ll collect information when you give it to us directly such as when you contact us, make a donation, take part in an event or volunteer for us.
We’ll collect your email address and first name if you sign up to our newsletter too. This information is only used to send the newsletter to you.
We’ll also collect information you provide to third parties such as the Great North Run, or websites such as Just Giving or Total Giving. When this happens, we’ll contact you by email to check how you’d like to hear from us in the future, and to offer you support with your fundraising efforts.
On our website
Like most websites, our website has cookies that enable basic features of the website (like adding things to your basket in our shop, for example.) Like many, we also use Google Analytics (GA) to track user interaction. We use this data to determine the number of people using our site, to better understand how they find and use our web pages and to see their journey through the website.
This helps us understand what is useful to you, so we can provide more of it, or see if there are any areas of the site that people are unable to find. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. With this in mind, we consider Google to be a third party data processor.
Contact forms and email links
We use contact forms to enable visitors to be able to get in touch with the charity. In these forms we require your name and contact details so we can get back to you. Should you choose to contact us using an email link or filling in a contact form, none of the data that you supply will be stored by this website or passed to / be processed by any of the third party data processors defined in the section below. Instead the data will be collated into an email and sent to our email servers.
We will collect your details when you place an order on our online store for the sole purpose of fulfilling your order. These include your name and address for dispatching the item(s) you have purchased, and your email address so we can contact you with updates regarding your order. This information will not be used for any other purposes and any other information you volunteer (such as phone number) will again only be retained and used in regard to your order.
4. HOW WE STORE YOUR PERSONAL INFORMATION
Any personal information provided to us will be stored in secure servers. Only appropriately trained staff, volunteers and contractors can access your information. It is stored on secure servers with features to prevent unauthorised access. Analytics data will be stored within Google Analytics.
Donations and other payments
When you use our secure online donation or payment pages, you’ll be directed to a specialist supplier company, who will receive your credit/debit card number or bank details and contact information to process the transaction. We don’t retain your credit/ debit card or bank details.
Although your personal information (such as name, address and tax status) will be provided to us (to allow us to claim Gift Aid from HMRC) we do not directly store any personal information from these providers – please see the individual payment processor’s website for more information on their policy and your rights.
How long do we keep your data?
We will not retain your data for longer than necessary. In general, if we no longer need your information for the reasons you gave it to us, we’ll remove it from our records.
But we’ll remove it sooner if:
- your personal information is no longer required for the purpose you shared it with us
- we’re no longer lawfully entitled to process it
- you ask us to remove it.
In the instances of donations, volunteers, fundraising and other legal contracts, we’ll retain your details for up to 6 years.
For email newsletter sign ups, we retain your data indefinitely to ensure that there are no incidents of accidental re-submission of an individual who has requested to be removed.
Please note that special rules apply to health records, which may often be kept for longer than six years. Where your personal information is used to support research, it is usually kept for longer and may be used in the future to help with further research as medical knowledge advances.
5. SHARING YOUR DATA
We may share your data with organisations such as, but not limited to, governmental bodies, regulators, funders, and insurers where we are required to do so to comply with our legal obligations or to fulfil our business processes. Examples of these are below:
In order to provide these the PTSD UK Newsletter it is necessary for us to share data about you with our email newsletter platform provider. This is the platform which enables us to provide you with updates and also from which you can manage your subscription.
They may also store and manage information on our behalf such as your email address, emails received, links accessed and other details. They will not use this information for their own purposes.
We will also share your data if:
- we are legally required to do so, for example, by a law enforcement agency, court or the Charity Commission;
- it is necessary to protect our rights, property or safety or to protect the rights, property or safety of others;
We will never share your data with any organisation to use for their own purposes. Our third party provider will also store your data on secure servers which may be situated inside or outside the European Economic Area.
Those providing funds/grants
Whilst we will not require to provide personal or identifiable information, in order to be granted funding, at times we need to provide evidence of the impact PTSD UK has on the community. As such quotes, summary of contact, stats, causes of trauma etc may be collated and shared. For example, we may be able to say ‘we are contacted by X amount of people each year who have a friend of family member with PTSD’ or ‘only 10% of people who contact us have heard of EMDR treatment’. This kind of information will remain anonymous.
We may share anonymised information with healthcare professionals, medical researchers and organisations involved in the provision of care and/or medical research. This will allow us to understand the condition and it’s prevalence better.
Complaints need to be notified in our annual reports, and although personal information will not be shared, the nature of the complaint will be.
Inappropriate website or social media use
If you post or send any content that we believe to be inappropriate, offensive or in breach of any laws, such as defamatory content on our forums or social media pages, we may use your personal information to inform relevant third parties such as your internet provider or law enforcement agencies.
6. LINKS TO OTHER WEB SITES
7. DATA PROTECTION OFFICER
Scott Suttie, PTSD UK, 83 Princes Street, Edinburgh, EH2 2ER
8. YOUR RIGHTS TO YOUR PERSONAL INFORMATION
Under the Data Protection Act 1998 you have a right to request a copy of the personal information we hold about you and to have any inaccuracies corrected. You also have the right to request us to erase your personal information, request us to restrict our processing of your personal information or to object to our processing of your personal information.
Should you wish to exercise these rights we require you to prove your identity with two pieces of approved identification. Please address requests to PTSD UK, 83 Princes Street, Edinburgh, EH2 2ER and we will respond within 40 days of receipt of your written request and confirmed ID.
Please provide as much information as possible about the nature of your contact with us to help us locate your records. Where you have provided your consent for our use of your personal information, you always have a right to withdraw your consent at any time. If you ask to receive no further contact from us, we’ll keep some basic information about you to make sure we don’t send you unwanted materials in the future.
Please let us know if you have any questions or concerns about this policy or about the way in which your personal information is being processed by contacting us via post (PTSD UK, 83 Princes Street, Edinburgh, EH2 2ER) or via our contact form.