1.1 Privacy and Security
Brainwave is committed to protecting your privacy and security. This policy explains how and why we use your personal data, to ensure you remain informed and in control of your information.
You can decide not to receive communications or change how we contact you at any time. If you wish to do so please contact us by emailing email@example.com, in writing to ‘Freepost BRAINWAVE’ or by telephoning 01278 429089 (lines open 9am – 5pm, Mon – Fri).
We will never sell your personal data and will only ever share it with organisations we work with where necessary and if it’s privacy and security are guaranteed.
Any questions you have in relation to this policy or how we use your personal data should be sent to firstname.lastname@example.org or addressed to:
The Data Protection Officer
1.3 About Us
Your personal data (ie any information which identifies you, or which can be identified as relating to you personally) will be collected and used by The Brainwave Centre Ltd (Charity no. 1073238 in England and SC039137 in Scotland) a private limited company with registration number 3666739.
Brainwave Centre Ltd is based at Marsh Lane, Huntworth Gate, Bridgwater, Somerset, TA6 6LQ. For the purposes of data protection law, Brainwave will be the controller.
2. WHAT INFORMATION WE COLLECT
2.1 Personal data you provide
We collect data that you provide us. This includes information you give when enquiring about our services, donating, registering for an event, or communicating with us. For example:
- personal details (name, date of birth, email, address, telephone etc.) when you join as a supporter;
- financial information (payment information such as credit/debit card or direct debit details, and whether donations are gift-aided. Please see section 8 for more information on payment security); and
- details of your interests and preferences (such as campaigns, the ways you support us or types of events you have attended).
If you donate to Brainwave and you are related to one of our families, your relationship to that person will be recorded. This is so that we can use your donation to support that particular child’s therapy provision, if requested.
2.2 Information created by your involvement with Brainwave
Your activities and involvement with Brainwave will result in personal data being created. This could include details of how you’ve helped us by volunteering and attendance or participation in our events.
If you kindly decide to donate to Brainwave then we will keep records of when and how much you give on a particular date and to which project.
2.3 Information we generate
We conduct research and analysis on the information we hold, which can in turn generate personal data. For example, by analysing your interests and involvement with our work we may be able to build a profile which helps us decide which of our communications are likely to interest you. Section 6 (Research and profiling) contains more information about how we use information for profiling and targeted advertising.
2.4 Information from third parties
We may collect information from social media where you have given us permission to do so, or if you post on one of our social media pages.
Occasionally, we may collect information about certain supporters (eg particularly well known or influential people) from public sources. This could include public databases (such as Companies House), news or other media. We do not do this for everyone, and it is the exception not the rule.
2.5 Sensitive personal data
We do not normally collect or store sensitive personal data (such as information relating to health, beliefs or political affiliation) about supporters. However, there are some situations where this will occur (eg if you volunteer with us or if you have an accident on one of our sites or events). If this does occur, we’ll take extra care to ensure your privacy rights are protected.
2.6 Accidents or incidents
If an accident or incident occurs on our property, at one of our events or involving one of our staff (including volunteers) then we’ll keep a record of this (which may include personal data and sensitive personal data).
If you are a volunteer (whether for Brainwave, or if you are helping us for other reasons, for example you work for another organisation which is running an event with us) then we may collect extra information about you (eg references, criminal records checks, details of emergency contacts, medical conditions etc). This information will be retained for legal reasons, to protect us (including in the event of an insurance or legal claim) and for safeguarding purposes.
3. HOW WE USE YOUR INFORMATION
We only ever use your personal data with your consent, or where it is necessary in order to:
- enter into, or perform, a contract with you
- comply with a legal duty
- protect your vital interests
- for our own (or a third party, when legally required) lawful interests, provided your rights don’t override the these.
In any event, we’ll only use your information for the purpose or purposes it was collected for (or else for closely related purposes).
We use personal data to communicate with people, to promote Brainwave and to help with fundraising. This includes keeping you up-to-date with our news, updates, events and fundraising information. For further information on this please see Section 5 (Marketing).
We use personal data for administrative purposes (ie to carry on our charity work). This includes:
- receiving donations (eg direct debits or gift-aid instructions)
- maintaining databases of our volunteers and supporters
- fulfilling enquiries
- helping us respect your choices and preferences (eg if you ask not to receive marketing material, we’ll keep a record of this).
3.3 Retail Gift Aid
We will use personal date for the administration of conducting a Gift Aid claim, as described when completing your Gift Aid declaration. This will include sending a letter to confirm that we will be reclaiming the Gift Aid back on any donations that have been sold in our Charity Shops. Your details will be stored on our database and only be used in the processing of the claim.
3.4 Internal research and analysis
We carry out research and analysis on our supporters, donors and volunteers, to determine the success of appeals, better understand behaviour and responses and identify patterns and trends. This helps inform our approach towards fundraising and makes Brainwave a stronger and more effective organisation. Understanding our supporters, their interests and what they care about also helps us provide a better experience (eg through more relevant communications).
3.5 Supporter research and profiling
We evaluate, categorise and profile personal data in order to tailor materials, services and communications (including targeted advertising) and prevent unwanted material from filling up your inbox. This also helps us understand our supporters, improve our organisation and carry out research. Further information on profiling can be found in Section 6 (Research and profiling).
4. DISCLOSING AND SHARING DATA
We will never sell your personal data. If you have opted-in to marketing, we may contact you with information about our partners, or third-party products and services, but these communications will always come from Brainwave and are usually incorporated into our own marketing materials (eg advertisements in our newsletters).
We may share personal data with subcontractors or suppliers who provide us with services. For example, if you need something delivered from Brainwave, your name and address will be shared with the delivery company. However, these activities will be carried out under a contract which imposes strict requirements on our supplier to keep your information confidential and secure.
Occasionally, where we partner with other organisations, we may also share information with them (for example, if you register to attend an event being jointly organised by us and a company). We will only share information when necessary and we’ll make sure to notify you first.
From January 2018, Brainwave will ask its supporters to ‘opt-in’ for most communications. This includes all our marketing communications.
This means you will have the choice as to whether you want to receive these messages and be able to select how you want to receive them (email, post, phone or text).
You can decide not to receive communications or change how we contact you at any time. If you wish to do so please contact us by emailing email@example.com, writing to Freepost BRAINWAVE or telephoning 01278 429089 (lines open 9am – 5pm, Mon – Fri).
5.1 What does ‘marketing’ mean?
Marketing does not just mean offering things for sale, but also includes news and information about:
- our charity and the work with our children and their families
- Brainwave benefits
- volunteering opportunities
- appeals and fundraising (including donations, competitions and raffles etc.)
- our events, activities and local groups
- products, services and offers (of third parties which may interest you); and
- leaving a legacy.
When you receive a communication, we may collect information about how you respond to or interact with that communication, and this may affect how we communicate with you in future.
You can choose to unsubscribe from general marketing communications without opting out of receipt of the newsletter if you wish. However, please be aware that newsletters do include advertisements, details of events and fundraising information.
As a charity, we rely on donations and support from others to continue our vital work. From time-to-time, we will contact supporters with fundraising material and communications. This might be about an appeal, a newsletter, an invitation to an event or to suggest ways you can raise funds.
As with other marketing communications, we’ll only contact you specifically about fundraising if you’ve opted in to receiving marketing from us (and you can unsubscribe at any time).
6. RESEARCH AND PROFILING
This section explains how and why we use personal data to build profiles which enable us to understand our supporters, improve our relationship with them, and provide a better supporter experience.
6.1 Analysis and grouping
We analyse our supporters to determine common characteristics and preferences. We do this by assessing various types of information including behaviour (eg previous responses) or demographic information (eg location).
By grouping people together on the basis of common characteristics, we can ensure that the group is provided with communications, products and information which is most important to them. This means we are utilising our resources and we are not wasting resources on contacting people with information which is not relevant to them.
6.2 Profiling to help us understand our supporters
We profile supporters in terms of financial and practical support. For example, we keep track of the amount, frequency and value of each person’s support. This information helps us to ensure communications are relevant and timely.
If, based on information that has been provided to us (such as geographical location, demographics or previous donations), it appears an individual might be willing and able to provide more support we may contact them to see if they wish to do so.
On occasion, we may also combine information about particular supporters with external information (such as directorships listed on Companies House, or news about an individual which has featured in the media) in order to create a more detailed profile about a particular individual.
We collect information on preferences and interests so that we know what marketing material you are mostly likely to be interested in.
We will also obtain information about you from other sources, much of which is available on public and private databases. We do this to enhance and fill-in any gaps so that we can understand our supporters better, send you the most relevant communications and target our resources effectively.
6.3 Anonymised data
We may aggregate and anonymise personal data so that it can no longer be linked to any particular person. This information can be used for a variety of purposes, such as recruiting new supporters, or to identify trends or patterns within our existing supporter base. This information helps inform our actions and improve our campaigns, products/services and materials.
7. CHILDREN, YOUNG PEOPLE & VULNERABLE ADULTS
7.1 Information for parents/guardians/carers
We take great care to protect and respect the rights of individuals in relation to their personal data, especially in the case of children. If your child is under 18, we’ll only use his or her personal data with your consent (subject to 7.2 below). This means that, for example, if your child wants to have his or her name or picture featured in one of our newsletters, we’ll need you to confirm you’re happy for us to do so.
7.2 Child Competency
In the UK there is no set age of consent for data privacy other than that for Information Society Services (ISS) where the law states that only children aged 13 or over are able to provide their own consent. Instead ability to consent is based on competence. At Brainwave your child may be able to give their own consent if they are (1) able to understand their rights and (2) judged capable of giving consent by their Lead Therapist. Parents or Guardians will be consulted on the final decision, but if Child Competency is agreed then Brainwave will ensure that consents are sought from the child rather than the parents or guardians.
7.3 Marketing and fundraising
We won’t send marketing emails, letters, calls or texts messages to any individual we know to be under 18 years old.
8. HOW WE PROTECT DATA
We employ a variety of physical and technical measures to keep your data safe and to prevent unauthorised access to, use or disclosure of your personal information.
Electronic data and databases are stored on secure computer systems and we control who has access to information (using both physical and electronic means). Our staff receive data protection training and we have a set of detailed data protection procedures which personnel are required to follow when handling personal data.
8.1 Payment security
All electronic Brainwave forms that request financial data will use the Secure Sockets Layer (SSL) protocol to encrypt the data between your browser and our servers.
If you use a credit card to donate or purchase something on-line we will pass your credit card details securely to our payment provider (Stripe). Other payment methods are handled in a similar manner. Brainwave complies with the payment card industry data security standard (PCI-DSS) published by the PCI Security Standards Council and will never store card details.
Of course, we cannot guarantee the security of your home computer or the internet, and any online communications (eg information provided by email or our website) are at the user’s own risk.
Some of our premises have CCTV and you may be recorded when you visit them. CCTV is there to help provide security and to protect both you and Brainwave. CCTV will only be viewed when necessary (eg to detect or prevent crime) and footage is only stored for temporarily. Unless it is flagged for review, CCTV footage will be recorded over periodically.
Brainwave complies with the Information Commissioner’s Office CCTV Code of Practice, and we put up notices so you know when CCTV is in use.
9.1 Where we store information
Brainwave’s operations are based in the UK and we store our data within the European Union. Some organisations which provide services to us may transfer personal data outside of the EEA, but we’ll only allow them to do so if your data is adequately protected.
For example, some of our systems use Microsoft products. As a US company, it may be that using their products result in personal data being transferred to or accessible from the US. However, we’ll allow this as we are certain personal data will still be adequately protected (as Microsoft is certified under the USA’s Privacy Shield scheme).
9.2 How long we store information
We will only use and store information for so long as it is required for the purposes it was collected for. How long information will be stored for depends on the information in question and what it is being used for. For example, if you ask us not to send you marketing emails, we will stop storing your emails for marketing purposes (though we’ll keep a record of your preference not to be emailed).
We continually review the information we hold and we ensure that when information is no longer required we thoroughly delete it. We never store payment card information.
10. KEEPING YOU IN CONTROL
We want to ensure you remain in control of your personal data. Part of this is making sure you understand your legal rights, which are as follows:
- the right to confirmation as to whether or not we have your personal data and, if we do, to obtain a copy of the personal information we hold (this is known as subject access request);
- the right to have your data erased (though this will not apply where it is necessary for us to continue to use the data for a lawful reason);
- the right to have inaccurate data rectified;
- the right to object to your data being used for marketing or profiling; and
- where technically feasible, you have the right to personal data you have provided to us which we process automatically on the basis of your consent or the performance of a contract. This information will be provided in a common electronic format.
Please keep in mind that there are exceptions to the rights above and, although we will always try to respond to your satisfaction, there may be situations where we are unable to do so.
If you would like further information on your rights or wish to exercise them, please email our Data Protection Officer at firstname.lastname@example.org or write to them at The Data Protection Officer, Freepost BRAINWAVE.
We can provide you with a template Subject Access Form which includes guidance on how to make your request (and will help us respond more quickly). Please contact us for a copy of this.
You can complain to Brainwave directly by contacting our Data Protection Officer using the details set out above. If you wish to make a complaint (including a complaint about fundraising activity) which does not directly relate to your data protection and privacy rights, you can do so in accordance with our charity’s Complaint Policy.
If you are not happy with our response, or you believe that your data protection or privacy rights have been infringed, you can complain to the UK Information Commissioner’s Office which regulates and enforces data protection law in the UK. Details of how to do this can be found at www.ico.org.uk.
11. COOKIES AND LINKS TO OTHER SITES
Our website uses local storage (such as cookies) to provide you with the best possible experience and to allow you to make use of certain functionality (such as being able to shop online). Further information can be found in our Cookies Policy at www.brainwave.org.uk/cookiepolicy.
11.2 Links to other sites
Our website contains hyperlinks to many other websites. We are not responsible for the content or functionality of any of those external websites (but please let us know if a link is not working by emailing us at email@example.com).
When purchasing goods or services from any of the businesses that our site links to, you will be entering into a contract with them (agreeing to their terms and conditions) and not with Brainwave.
Last review date: 4 October 2018
Reviewed by: HR Manager
Agreed by SMT: 4 October 2018