Raise is committed to protecting your privacy. We are conscious of our responsibilities under the Data Protection Act 2018 and UK General Data Protection Regulations 2018 (UK GDPR). We endeavour to ensure that the personal information we obtain will always be held, used and otherwise processed in accordance with those regulations and all other applicable data protection laws.
This statement explains how we will handle the personal information you provide to Raise. We may periodically modify, add or remove sections of this privacy statement so you may like to check this page from time to time.
What personal information do we collect?
Personal information is information that can be used to identify you. It can include your name, date of birth, email address, postal address, telephone number and credit/debit card details. We collect some personal information when you donate money, undertake fundraising activities, ask about our activities, order products and services (such as publications and email newsletters), or otherwise give us personal information online, in paper or electronic form, over the phone or face to face.
We only collect your debit/credit card details if you provide them to us to make a donation. The card details are redacted or destroyed once the donation is processed. We only collect bank account details if you set up a direct debit or standing order payment for regular donations to us. These details are held securely.
By giving us your personal details, you agree that all personal data you submit may be processed in the manner and for the purposes described below.
We may analyse your personal information to create a profile of your interests and preferences so that we can contact you with information relevant to you. We may make use of additional information about you, including geo-demographic information and measures of affluence, when it is available from external sources to help us do this effectively. This helps us understand the background of the people who support us and helps us to make appropriate requests to supporters who may be able and willing to give more than they already do. If you do not wish your data to be used in this way or have questions about this, please get in touch with the charity office.
How we collect information about you
We collect information about you in the following ways:
When you give it to us directly – You may give us your information when you sign up to one of our events, tell us your story, make a donation or communicate with us. Sometimes, when you support us, your information is processed by an organisation working for us (such as a mailing house), but we are responsible for your data at all times.
When you give it to us indirectly – Your information may be shared with us by independent organisations, for example fundraising sites like JustGiving. These independent third parties will only do so when you have indicated that you wish to support Raise and with your consent. You should check their privacy policies when you provide your information to understand how they will process your data.
When you give permission to other organisations to share it, and depending on your settings or the privacy policies for social media and messaging apps like Facebook and Twitter, you might give us permission to access information from those accounts or services.
We may combine information from these sources with that which you provide to us directly. We also use this information to gain a better understanding of our supporters to improve our fundraising methods, products and services.
Why and how do we use your information?
We process your data as described in this policy because we have a legitimate need to do so to deliver our fundraising ambitions. Some processing of data may be carried out to perform a contract with you or it is required by law, such as the completion of due diligence or obligations for processing Gift Aid on your donations. We would only use your email or text information to contact you about fundraising and marketing if we have consent to do so and you will always have the opportunity to opt out of communication from any channel at any time.
We do not and never will sell or swap your data. We will use your personal information to provide you with the support or information you have requested, for administration purposes and to further our charitable aims, including for fundraising activities. We may need to share your information with our service providers such as external mailing houses that process our appeals. We have strict data protection arrangements in place with these fulfilment organisations and they will comply with GDPR regulations too.
Any information we collect is stored and processed in the UK apart from our donor database, Raiser’s Edge (a Blackbaud Inc. product). Blackbaud is headquartered in the United States and may transfer personal data, for which customers (like Raise) act as the data controller, outside the United Kingdom as necessary to fulfill obligations to their customers. Blackbaud only transfers personal data to countries deemed by the Secretary of State of the United Kingdom to provide for an adequate level of personal data protection or to organisations pursuant to lawful transfer mechanisms ensuring appropriate safeguards, such as standard contractual clauses, or binding corporate resolutions.
We reserve the right to share your personal information if we are legally obliged to and to enable us to apply our terms and conditions and other agreements. This includes exchanging information with other organisations for fraud and credit risk reduction and for police investigations.
To comply with our legal obligations under Charity fundraising: a guide to trustee duties (CC20), as well as regulation such as the Charity Commission’s Know Your Donor Policy and the Fundraising Regulator’s Code of Practice, we may also undertake due diligence research to assess the source of funds for donations and to ensure that we are robustly considering ethical and reputational risks to our organisations. We consider this processing to be a legal obligation and thus are relying on this as a lawful basis for processing data under GDPR.
How do we keep your information secure and confidential?
Under the Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR), there are strict principles which govern our use of information and our duty to ensure it is kept safe and secure. Your information may be stored within electronic or paper records, or a combination of both. All our records are restricted so that only those individuals who have a legitimate need to know can get access to the information. This might be through the use of technology or other environmental safeguards.
All systems access is governed by strict controls which are compliant with our information governance and IT security policies. Everyone working for the NHS is subject to the Common Law Duty of Confidentiality. This means that any information that you provide to us in confidence will only be used in connection with the purpose for which it was provided, unless we have specific consent from you or there are other special circumstances covered by law.
What lawful basis do we reply on for processing personal data?
Data protection laws require us to identify which legally defined “ground for processing” we will use for anything we do with your personal information. We have grouped the things we do with your information into sections for each “ground for processing”. We have done this because you have different rights depending on which of these “grounds” is being used.
Explanation: Where we use “consent” to process your information, we can only do this with your permission, and you have the right to withdraw your permission, without detriment to you, at any time. Please bear in mind that if you like receiving news about us by one of the methods listed below, and you withdraw your consent, we will no longer be able to send it to you.
If, and only if, you have consented, we may use your personal information to:
- send you messages and material which promote our charity by email, SMS, direct social media messages
- telephone you to ask for your support on private telephone numbers registered on the telephone preference service
- publish personal information about the nature of your support for us.
If you are asked by a partner website or other giving platform whether you agree to receive further fundraising contact from us by any specific method which, in law, requires consent (e.g. email, text message etc.) and you do agree to such contact, then we will receive that information from our partner and record your consent to be contacted by that method. In these circumstances our partner will always pass your contact and giving information to us.
Explanation: Sometimes we are legally required to process your data because of our nation’s laws or some other regulatory obligation. In most cases we have no choice about this, and although you can object, we may not be able to stop using any or all of your information for any of these purposes.
The following circumstances create a legal obligation for us to process your data:
- If you allow us to claim Gift Aid then we have to keep records and pass them to His Majesty’s Revenue and Customs
- For auditing and accounting purposes
- In respect of some gifts, there is a requirement to carry out anti-money laundering activity
- To comply with the charity regulators’ requirements to safeguard the reputation of the charity
- To comply with the legal requirement to record details of complaints about fundraising.
Explanation: If you and we enter into some kind of binding agreement, for example to sell you a ticket for an event, then the ground for processing will be “Contract”. You do have the right not to give us your data, but we will probably not be able to complete the transaction with you if you do not let us use your data.
The following circumstances will result in using your information for the purposes of administrating a contract:
- Providing you with a ticket for an event, training course, and processing your registration for that ticket or event.
- Using your data to communicate with you in respect of grants or gifts we have made or received where that grant or gift is subject to a contract between us and you or an organisation with which you are connected.
Explanation: Some aspects of our work cannot be done without using your personal data, but do not fall into the group of activities where consent is required by law, nor will they be subject to a contract or a legal obligation. In most of these cases we use the “Legitimate Interests” ground for processing. This means that we must balance the benefit we get from using your data to pursue our own lawful interests against any negative impact on your rights and freedoms which might happen as a result. (If we think that there is too much negative impact then we would ask for your consent instead.) You have a right to ask us to stop using your data if we are using “Legitimate Interests” as our ground for processing.
We will use the Legitimate Interests ground for processing in circumstances such as the following:
- Putting your personal data on our database or any other form of organised filing system which we use.
- Sending you messages about the impact of your giving and / or fundraising and inviting you to support us now or in a legacy in your will or to renew your support (unless the law requires your consent first – these circumstances are described under “consent” above).
- To carry out general administrative matters, both internally and to communicate with you. Examples include if a direct debit were to cease due to a change of bank account, or to ask you to consider completing a Gift Aid form.
- To respond to general enquiries that you might make of us, for example via our website, or by phoning, emailing, writing to us etc.
- To understand the way in which you read, or do not read, any e-newsletters we may send, or the way in which you navigate around our website.
- To update your address and other contact information where you have initially provided it and if we find that it is out of date. We only obtain data from sources (like the Royal Mail National Change of Address database) where you have consented for that organisation to pass it on to others or where there is some other lawful basis for our obtaining the data.
- Using information about your giving, together with that of others, to develop our fundraising and supporter engagement strategies. This could involve the construction of “donor segments” stratified, for example, by the amount of your giving or fundraising for us, or its frequency, or other factors which help us to fundraise efficiently. We may use software to help us analyse this information and to generate our segmentation. This activity is likely to fit the legal description of “profiling” and you have a right to tell us not to do this.
To add data from third party sources to help us to organise our fundraising as efficiently as we can. This may include the use of indicators of wealth, disposable income, history of giving to other organisations, social media comments you yourself have made public (e.g., a public Twitter feed) and other similar data which help us use our limited fundraising resources well. The effect of this is to ensure that as far as possible we ask wealthier people for larger gifts and less wealthy people for smaller ones and spend more resources on those who are most likely to give, and minimise resources spent on those who are unlikely to give. This may involve comparing your name and contact details with a list of names and contact details on other databases. The owners of those databases will not gain access to your data for their own purposes. This activity is likely to fit the legal description of “profiling” and you have a right to tell us not to do this.
Who do we share your data with?
When considering how we share your data with another organisation, we ask ourselves whether or not we would lose control of your data by doing so. Losing control would mean that the new organisation could decide what to do with your data. We only share your data in this way if we have your consent, or if we are legally obliged to do so.
In practice this means we pass your data to others in the following limited circumstances:
- To HMRC in order to claim Gift Aid
- To statutory bodies, for example the Charity Commission, the Information Commissioner or the Police, if they had obtained the relevant powers to require us to pass your data to them.
We may also pass your data, but not control of your data, to organisations which help us to manage our own work. These are known as Data Processors and are bound by a contract with us. They are not allowed to do anything with your data that we have not authorised, and they may not use your data for their own purposes, nor can they keep it. Examples of data processors include a mailing house which prints letters for us and our database supplier which hosts our donor database in a secure encrypted “cloud” environment.
The accuracy of your data and keeping it up to date
We ask that you please let us know when you move house or change your contact details, then we can keep our records up to date. If mail (postal or electronic) addressed to you is returned to us as ‘moved away’ (or something similar) then we may use publicly available sources, such as the Post Office’s National Change of Address database, to double-check and update your details.
While we endeavour to ensure that the information we hold about you is accurate and, where necessary, kept up to date, we shall assume that in the absence of evidence to the contrary, the information you provide us with is accurate. Should there be any inaccuracies in the information of which you inform us, or of which we become aware, it shall be promptly rectified by us.
How long will we keep your data?
Whatever your relationship with us, we will only store your personal information for as long as necessary to fulfil the purposes we collected it for, including the purposes of satisfying any legal, accounting or reporting requirements.
Usually this will be for a specified amount of time in accordance with our data retention policy. That length of time may vary depending on the reasons for which we are processing the personal information and whether we have a legal (for example under financial regulations) or contractual obligation to keep it for a certain amount of time.
Subject to the above, generally, we typically retain personal information relating to donors and people who have taken campaign actions or signed up to our mailing lists for six years after their last donation or interaction with us and we will then consider whether to retain for further six years. Once the retention period has expired, personal information will be confidentially disposed of or permanently deleted.
If you have pledged a legacy gift, it will be necessary to retain your data until your gift is received, so that we can identify the gift against the pledge.
We may contact you by mail from time to time, to keep you up to date with our hospitals’ news, appeals, events and how supporters like you are transforming patients’ lives. We invite you to tell us how you want us to communicate, in ways that suit you. We will also include information on how to opt out of future marketing. If you don’t want to hear from us, then we understand.
If we run an event in partnership with another named organisation then your details may need to be shared. We will be very clear what will happen to your data when you register.
We do not have access to patients’ health records.
Information on Children and those under 18
We don’t actively collect data on children. However, we know that some are kind enough to fundraise for us. If we capture children’s data through our giving platforms, we’ll ensure parental consent is in place for anyone under 13 years old. We do not actively market to under 18s. If we want to store a photograph of someone under 18 we will seek their consent if they are 13 or over and that of their parent or guardian if they are younger.
What are your rights?
You have the right to ask us not to process your personal data for marketing purposes, and you have a right to seek the erasure of your data (often referred to as the ‘right to be forgotten’). You may wish to exercise this right for any reason, for example where it is no longer necessary for us to continue holding or processing your personal data you may withdraw your consent. You should note that we are entitled to and reserve the right to retain your data for statistical purposes. This right is not absolute, as we may need to continue processing this information, for example, to comply with our legal obligations, or for reasons of public interest.
You have a right to ask us to confirm whether we are processing information about you, and to request access to this information (‘right of access’).
You may ask us, or we may ask you, to rectify information you or we think is inaccurate, and you may also ask us to remove information which is inaccurate or complete information which is incomplete (‘right to rectification’). If you inform us that your personal data is inaccurate, we will inform relevant third parties with whom we have shared your data so they may update their own records.
We want to ensure that your personal information is accurate and up to date. If any of the information that you have provided us with changes, please let us know using the contact details at the end of this policy.
You have a right to obtain your personal data from us and reuse it for your own purposes, perhaps for another service, without hindering the usability of the data (‘right of portability’). This right does not apply where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
You have a right to ask us to restrict our processing of your information (‘right to restriction’) if:
- you contest its accuracy and we need to verify whether it is accurate
- the processing is unlawful and you ask us to restrict use of it instead of erasing it
- we no longer need the information for the purpose of processing, but you need it to establish or defend legal claims
- you have objected to processing of your information being necessary for the performance of a task carried out in the public interest, or for the purposes of our legitimate interests. The restriction would apply while we carry out a balancing act between your rights and our legitimate interests.
- you exercise your right to restrict processing, we would still need to process your information for the purpose of exercising or defending legal claims, protecting the rights of another person or for public interest reasons.
If you would like to exercise any of your rights above, please let us know using the contact details at the end of this policy. We will act in accordance with your instructions as soon as reasonably possible and there will be no charge.
Complaints, comments and compliments
If you are unhappy with our work or something that we have done or failed to do, we want to know about it. We also welcome your views on what we do well. Your comments enable us as an organisation to learn and continuously improve our services. If you would like to make a complaint, compliment or comment then please get in touch with the Charity CEO.
Raise (West Hertfordshire Hospitals Charity)
Sycamore House, Watford General Hospital
We recognise there may be times when you would like an independent body to investigate your concerns. The Fundraising Regulator is the independent regulator of charitable fundraising and one of its roles is to investigate cases where fundraising practices have led to significant public concern. In order to ask the Fundraising Regulator to investigate, you must first have given us the opportunity to resolve your concern or complaint through our own internal processes.
The Fundraising Regulator
167 City Road
London, EC1V 1AW
0300 999 3407
Alternatively, you may wish to contact the Information Commissioner’s Office directly via the contact details below. Please note that the Information Commissioner will not normally consider an appeal until you have exhausted your rights of complaint to us directly.
Information Commissioner’s Office
Cheshire, SK9 5AF
Phone: 0303 123 1113
Raise (West Hertfordshire Hospitals Charity)
Sycamore House, Watford General Hospital