We may change this policy from time to time by updating this page. You should check this page periodically to see the latest version of our policy. This policy is effective from 12 September 2020
SASH Charity (“we” and “us”) promises to respect any personal data you share with us, or that we get from other organisations, and keep it safe. We aim to be clear when we collect your data and not do anything you wouldn’t reasonably expect.
In carrying out our day to day activities we are required by law to adhere to, amongst other things, the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. We take our responsibilities under the Regulation very seriously and we aim to ensure the personal information we obtain is held, used, transferred and otherwise processed in accordance with the law.
Who we are
The data controller is SASH Charity, a registered charity in England and Wales (1054072).
How do we collect information?
When you provide it to us directly
You may provide personal information by electronic means (email and website), by letter, by phone, or in person. Examples include when you call SASH Charity regarding our activities, register online to participate in a fundraising event, or make a donation in our hospitals.
We only collect the minimum amount of information required and use it for the purpose(s) for which you have consented. You may choose not to provide us with personal information, although this may affect our ability to provide you with the required service or your ability or participate in the activity in question.
When you provide it to us indirectly
We may receive information about you from third parties – but only if you’ve given them permission to share your information with us.
From third party organisations
We may also receive data which you have agreed to share with charities, or that you have submitted to receive another service and you have agreed for the information be shared with others.
Examples of this include using the Royal Mail National Change of Address Update service, where you request your mail to be redirected and for organisations who contact you to be updated with your new address details.
When you have made your information available publically
This may include information found in places such as the electoral register, information published in articles/newspapers, on charity or company websites, or on public social media accounts.
When we collect it as you use our website or apps
Our cookies contain no data specific to an individual, so that your privacy remains protected. They contain neither your email address, nor do they tell us who you are.
Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.
We use web visitor analytics (e.g. Google Analytics) to understand how people use our website so we can make it more effective. Web analytics tools collects anonymous information about what people do on our website, where they’ve come from, and whether they’ve completed any tasks on the site, for example, signing up to volunteer or donating. Analytics tools track this information using cookies which are text files placed on your computer. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by internet companies on servers that may be outside the EU. This information is used for the purpose of evaluating your use of the website and compiling reports on website activity.
If you do not want cookies to be stored on your PC it is possible to disable this function without affecting your navigation around the site although some of the functionality of our website may be affected.
We also use data from Interest-based advertising or 3rd-party audience data (such as age, gender, and interests) with our web analytics.
What personal information we collect
The type and quantity of information we process and how we use it depends on why you are providing it to us. Examples include making a donation, submitting an enquiry, or making a complaint.
Information we collect may include;
- Your name
• Your contact information including address, email address, telephone numbers
• Your date of birth
• Your bank account or debit/credit card details, for making donations
• Other pertinent information which you have freely provided to us in conversations or correspondence
Where appropriate we may also collect;
- Information relating to your health, for example if you are taking part in a high risk event
• Why you have decided to donate to us, if you are comfortable telling us this.
Special Category Data
Certain types of personal information are in a special category under data protection laws, as they are considered to be more sensitive. Examples of this type of sensitive data would be information about health, race, religious beliefs, political views, trade union membership, sex life or sexuality or genetic/biometric information.
We only collect this type of information about our supporters when there is a clear reason for us to do so, for example asking for health information if you are taking part in an event. We may also collect this type of information if you make it public or volunteer it to us – for instance if you tell us your medical history as part of a conversation about your experiences with Surrey and Sussex Healthcare NHS Trust.
We do not process special category data on a large or organised scale, for example in the scenario above, we may use this special category data to inform our relationship or conversations with you, but we will never use it for marketing purposes either on an individual or mass basis.
How we will use your personal data
We will only ever use your personal information for the purpose(s) originally intended, those which you agree to, or those which you would reasonably expect us to.
Below are some examples of how we may use your personal information;
• To provide you with the services or information you have requested
• To process any donation(s) we may receive from you
• To provide you with information about our work or our activities, including asking you to help us raise money or donate money to our charity, but always in accordance with how you have agreed to be contacted
• To ensure we know how you prefer to be contacted
• To send you items you have ordered
• To invite you to participate in surveys or research
• To publicise your story and experiences of Surrey and Sussex Healthcare NHS Trust to raise awareness of our work. This will only happen after discussions with you, and with your express consent. We keep you updated about when and where we use your story.
• For administration purposes e.g. we may contact you about a donation you have made or event you have expressed an interest in or registered for
• For internal record keeping, such as the management of feedback or complaints
• To analyse and improve the services we offer
• The use of IP addresses to block disruptive use, to record website traffic or to personalise the way our information is presented to you to identify your approximate location
• Where it is required or authorised by law
• For the purposes of credit risk reduction or fraud prevention (regrettably some people target charities for illegal purposes such as money laundering and, quite rightly, we are required to monitor financial activity and report suspected fraud to the appropriate authorities)
Building profiles of supporters and targeting communications
In future we may use profiling and screening techniques to ensure communications are relevant and timely, and to provide an improved experience for our supporters. Profiling also allows us to target our resources effectively, which supporters tell charities is a key priority for them. We do this because it allows us to understand the background of the people who support us and helps us to make appropriate requests to supporters who may be able and willing to give more than they already do. Importantly, it enables us to raise more funds, sooner, and more cost-effectively, than we otherwise would.
When building a profile we may analyse geographic, demographic and other information relating to you in order to better understand your interests and preferences in order to contact you with the most relevant communications. In doing this, we may use additional information from third party sources when it is available, as detailed earlier in this Policy.
The legal basis for processing your information
Data protection laws mean that we must have a legal basis to process personal information. The relevant legal bases set out under the GDPR, are listed below, where we also detail examples of our activities which we process under each basis.
Consent is where we ask you if we can use your information in a certain way, and you agree to this. For example, any time we send you marketing via electronic means – that is SMS or e-mail – we will only do so when we have clear and unambiguous consent from you. You have the right to withdraw consent for any future use of your information for these purposes at any time.
We have a basis to use your personal information where we need to do so to comply with a legal or regulatory obligation. For example, in some cases we may need to share your information with a regulator such as the Information Commissioner or Fundraising Regulator.
Performance of a contract or taking steps at your request to prepare for entry into a contract
We have a basis to use your personal information where we are entering into a contract with you or performing our obligations under that contract. Examples of this would be if you are buying something from us, for instance purchasing merchandise from us, or if you are applying to work or volunteer with us.
We have a legal basis to use your personal information where it is necessary for us to protect life or health; these are examples of your vital interest. For instance, if there were to be an emergency impacting individuals at one of our events which required us to contact people unexpectedly or share their information with emergency services.
We have a basis to use your personal information if it is reasonably necessary for us (or others) to do so, this means it’s in our or their legitimate interests – provided that the reason your information is used for is fair and does not unduly impact your rights.
We consider our legitimate interests to include all of the day-to-day activities SASH Charity carries out with personal information. Some examples of where we rely on legitimate interests are:
- Analysis and profiling of our supporters using personal information we already hold
•Updating your address using third party sources if you have moved house (please see the “How do we collect information?” section above for details of this)
•Use of personal information when we are monitoring use of our website or apps for technical purposes
•Use of personal information to administer, review and keep an internal record of the people we work with, including supporters, volunteers and researchers
•Sharing of personal information between relevant teams within SASH Charity, and between our trading subsidiaries
•Where you have signed up with us on a charity place for a third party event, for example a sponsored run not organised by us, we may share personal information with the third party event organiser so they can effectively administer the event
When using legitimate interests, we assess any potential impact on you, whether it is intrusive from a privacy perspective and whether it is aligned your rights under data protection laws.
When we process sensitive personal information, known as Special Category data, (please see the “What personal information we collect” section above), we require an additional legal basis to do so under data protection laws, so will either do so on the basis of your explicit consent or another route available to us at law for using this type of information (for example if you have made the information manifestly public or have freely provided this information to us). We do no process Special Category data on a large or organised scale.
How we protect your personal information
We take appropriate physical, electronic and managerial measures to ensure that we keep your information secure, accurate and up to date, and that we only keep it as long as is reasonable and necessary.
We undertake regular reviews of who has access to information that we hold to ensure that your information is only accessible by appropriately trained staff, volunteers and contractors.
Links to other websites
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.
Will we disclose the information we have collected to outside parties?
SASH Charity does not rent, swap or sell personal details to any third party.
Some of the systems operated by SASH Charity are provided by third party service providers including fully hosted IT solutions, for example Direct Debit payment processing, at remote sites and accessed via the internet.
In addition we may use external companies to assist with fundraising activities such as newsletter production & mailing house services, supporter recruitment and management, lottery and data analytics.Where these services are provided personal information may be released to the third party organisation under an agreed contract, which will stipulate how data is to be transferred, secured and destroyed and the purpose for which it may be used.
SASH Charity remains responsible for the data and ensuring that it is processed in accordance with GDPR.We take all reasonable steps to ensure any third party processing data on our behalf adheres to our data protection principals highlighted in this policy by undertaking a due diligence review of the data protection policies of the proposed data processor to ensure as far as reasonably practicable the safety, security and availability of data.
Some of our suppliers may run their operations outside the European Economic Area (EEA). Although they may not be subject to same data protection laws as companies based in the UK, we will take steps to make sure they provide an adequate level of protection in accordance with UK and EU law. By submitting your personal information to us you agree to this transfer, storing or processing at a location outside the EEA. We may need to disclose your details if required to the police, regulatory bodies or legal advisors.
We will only ever share your data in other circumstances if we have your explicit and informed consent.
Your rights to see what we know about you, to make changes, to ask us to stop processing your data, and to ask us to delete information we hold.
You have a right to ask us to stop processing your personal data, and if it’s not necessary for the purpose you provided it to us for (e.g. processing your donation or registering you for an event) we will do so.
You have the right to request a copy of the personal information relating to you which is held SASH Charity.
You also have the right to request all data held by us to be deleted. There may be some circumstances where this is not possible, for example if we need to keep the data to comply with a legal obligation. To do this, please contact The Supporter Care team in writing either by email [email protected], or post to;
Trust Headquarters (Room AD63)
East Surrey Hospital
We will reply within 28 days of receipt of your request. It will help us to locate your records more easily if you can tell us something about the nature of your contact with SASH Charity.
How to update my information or change how we contact you?
Hearing from us
We will always comply with our legal obligations when contacting our supporters. This means that for written communications, and communications over the phone, we will always give you the option to opt out of hearing from us. We will endeavour to only send timely communications, which are relevant to how you support or interact with us, and will make it easy for you to opt out at any time.
For electronic communications (email and SMS) we will only send marketing communications to those that have explicitly stated that they are happy for us to do.
Our marketing communications include information about our latest campaigns and lifesaving work. If you would like to receive such communications but currently do not, please complete the form here. Likewise, if you currently receive communications from us and no longer wish to, or wish to amend how we contact you, please contact our charity team by phone 07966 235171 or by email [email protected]
Supporters under the age of 18
When you register with us, you are stating that you are over 18 years of age or are a minor acting with parental consent so please ensure you have consent of your parent or responsible guardian.
We will regularly review this privacy statement and our up to date policy will be posted on our website. You are advised to check periodically in order to keep up to date with any changes.