Privacy and Data Protection Policy
The Brain Tumour Charity is committed to protecting your personal information and being transparent about what information we hold. This policy is designed to give you a clear explanation about how we collect and use the personal information you provide to us and ensure that we are honest and clear about your privacy and personal information at all times.
The Brain Tumour Charity is the Data Controller and we are registered with the Information Commissioner's Office as a Data Controller under reference Z7239747 for all of our activities.
In our policies, ‘we’, ‘us’ and ‘our’ refers to The Brain Tumour Charity, TBTC Trading Ltd and The Lewis Moody Foundation, which is administered by The Brain Tumour Charity.
TBTC Trading Ltd sells a range of products and all of its profits are donated to The Brain Tumour Charity.
We are a registered charity no. 1150054 (England and Wales) and SC045081 (Scotland). The Brain Tumour Charity is a company limited by guarantee no. 08266522 and TBTC Trading Ltd is a company limited by guarantee no. 08855559. All entities are registered at Fleet 27, Rye Close, Fleet, Hampshire GU51 2UH.
All entities are wholly owned and controlled by The Brain Tumour Charity and all staff are The Brain Tumour Charity employees.
We are registered with the Fundraising Regulator and follow their best practice code: Code of Fundraising Practice.
We are a member of the Association of Medical Research Charities and the Helplines Partnership.
By using our websites, social media pages, services (including phone, email and LiveChat) or providing your information to us, we will collect and use your information in the way(s) set out in this policy. If you do not agree with this policy, please do not use our sites, social media pages or services.
We may make changes to this policy from time to time. If we do so, we will post the changes on this page and they will apply from the time we post them. This policy was last changed on 07/01/2021.
Personal data is information that can be used to help identify an individual, such as name, address, phone number or email address. Some categories of data are more sensitive and are referred to as special category data, including health information. Non-personal data is data that can’t identify you personally, but can provide us with information to improve our services.
It’s important that you read our policy in full but to help guide you if you don’t have time right now, here is a quick summary:
- We collect information that can be personal data, sensitive personal data or non-personal data.
- We collect information about the people we support, our supporters, funders, volunteers, the researchers who have expressed an interest in our funding and employees.
- We collect information to provide services or goods, to provide information, to develop our BRIAN databank, to provide grants to researchers, to fundraise for our work, for administration, research, profiling and analysis to better understand our supporters and for the prevention or detection of crime.
- We only collect the information that we need or that helps us to provide the best possible service and fulfil our charitable aims and objectives.
- We do our utmost to keep personal information secure, including SSL technology (secure server software) on all of our websites and storing data on a secure database.
- We never share your data with another company or charity for their marketing or commercial purposes.
- If you have signed up to our BRIAN database, we may share your data anonymously with other BRIAN users, clinicians and researchers. If you have given consent for your data to be shared with BRIAN, we will need to provide NHS Digital with a limited amount of your personal data (e.g. your NHS number) in order to obtain your healthcare records from them.
- If you request to use our Benefits Clinic, we will share your contact details with Citizens Advice Rushmoor, so our specialist advisor can get in touch.
- We only share data where we are required by law or with carefully selected suppliers and trusted partners who do work for us, for example, a mailing house to send out our newsletter. All our partners are required by their contract with us to treat your data as carefully as we do, to only use it as instructed and to allow us to check they do this.
- You can change your marketing preferences at any time by contacting our Central Operations team – email@example.com / 01252 237792.
We collect information when you interact with us in order to build a world where brain tumours are defeated.
We collect four kinds of information
1. Non-personal information such as IP addresses (the location of the computer on the internet), web pages accessed, BRIAN app usage activity and files downloaded. This helps us to understand how many people use our websites, how many people visit on a regular basis and how popular/useful our web pages are. This information doesn’t tell us anything about who you are or where you live.
2. Personal information. We will ask you for information in order to provide you with the services requested, for example to send you information or process a donation.
3. Sensitive personal information or special category data. We may ask you for information about your health, for example, if you are living with a brain tumour and tumour type, so that we can provide you with relevant information and support or in order to support your safe participation in an event. We may also collect this information if you make the information public or if you tell us about your experiences relating to a brain tumour (for example, if you agree to share your story with us). We only collect this information with your consent.
4. For the BRIAN database, The Brain Tumour Charity receives health record information of patients who have been diagnosed with a brain tumour from NHS Digital and Public Health England. This information consists of diagnosis and treatment codes, along with data on sex, ethnicity and a broad indicator of locality per patient. For the majority of patients this information is pseudonymised, which means it is of a good enough standard to support research while maintaining patient anonymity. However, for patients that have provided The Charity with consent to have access to their official healthcare records, it will be able to obtain identifiable information from NHS Digital. In order to obtain this, The Charity will need to provide NHS Digital with a limited amount of those patients’ personal data such as NHS numbers.
Users of BRIAN can also choose to contribute a wide array of data, including healthcare information such as diagnoses, treatments, and medications, quality of life information, images of their face, samples of their speech, and wearable data such as FitBit or Apple health.
We are committed to protecting the privacy of the young people that engage with us. If you are under 16 and would like to get involved, please ensure you have consent from a parent or guardian before you provide your personal information to us. We do not send any marketing communications direct to children under 16.
We collect information about you in the following ways:
Information you give to us directly, for example when you:
- Sign up (yourself or others, including your children to take part in or attend one of our fundraising, support or professional events.
- Apply for one of our research grants.
- Register with and buy products on our shop.
- Make a donation or tell us about your fundraising plans.
- Tell us about a Gift in your Will.
- Request information from our Support team, for example The Brainy Bag or an Information Pack.
- Contact our Information and Support Team, when you may choose to provide details, including details of a personal nature, in particular about you or someone else’s health.
- Join BRIAN, our Brain tumouR Information and Analysis Network, a secure databank.
- Join our closed Facebook support groups.
- Choose to share your story with us. With your consent, we may record any calls to ensure accuracy of recording your story details.
- Take part in surveys, questionnaires or get involved with our campaigns.
- Volunteer with us.
- Sign up to our e-newsletter
- When you visit our websites, we collect technical information such as the IP address you use to visit the website, your browser type and version and your browsing history
- Contact us or become involved with us in any other way not listed above.
Information from third parties
We may also receive information about you from third parties if you have given them permission to share this information and indicated that you wish to support The Brain Tumour Charity, for example,if you set up a fundraising page for us with JustGiving or Facebook, sign up to a challenge with Discover Adventure or enter an independently organised event like the London Marathon.
Depending on your settings or the privacy policies for social media and messaging services, we may access information from those accounts or services.
If you have been named as the Executor on a Will, we may receive your details in order to administer a Gift left to us in that Will.
If you have registered to use BRIAN, there are different rules around the use of your data which are applied. When you are using the BRIAN app, the terms and conditions describe where data for this project is collected from, the period it will be retained for, who it is shared with and your right to erasure.
Publicly available sources
We collect information about potential peer reviewers for our grant rounds from Web of Science, Research Gate, PubMed and Google Scholar. We also collect information about journalists who may be interested in our work. We use publicly available sources to ensure we understand our supporters effectively, which is detailed in this section: Understanding our supporters and working more effectively.
If you use your credit or debit card to donate to us, pay for a registration or make a purchase over the phone, we will ensure this is done securely and in accordance with the Payment Card Industry (PCI) Data Security Standard. We do not store your credit or debit card details at all following the completion of your transaction. All card details are securely destroyed once the payment or donation has been processed.
All purchases and donations completed online are handled securely by Stripe or PayPal and we do not receive your card details.
We will mainly use the information we collect about you to:
- Provide you with the services, products or information you asked for, for example, The Brainy Bag, Information Pack or fundraising materials.
- Administer your donation or support your fundraising, including submitting your details to HMRC to claim Gift Aid if applicable.
- Administer your participation in an event, which may include sharing your details with a third party event organiser.
- Support your participation as a volunteer of one of our campaigning or research groups.
- Keep you up-to-date with the impact of your support and our work (including volunteering and events) and to ask for financial and non-financial support. This will only be where you have consented to being contacted for these purposes unless The Brain Tumour Charity is in a position to rely on the Legitimate Interest basis (find out more about Legitimate Interest in this section) for contacting you via postal communications only.
- Manage our research grants, including funding availability notifications and the peer review process.
- Support and further our mission, for example if you have shared your story or given us consent to use your photo, we may use this in marketing or promotional materials.
- Process orders from our online shop.
- Share data with other BRIAN users in an aggregated, anonymous format such as graphs and infographics.
- Share data from BRIAN with clinicians, analysts and researchers in an anonymous format in order to find a cure quicker.
- Share some data from BRIAN with NHS Digital in an identifiable format in order to enable them to share your healthcare records with us.
- Help us identify how BRIAN can be improved in the future.
- Carry out any obligations arising from any contracts entered into by you and us.
- Process a job or volunteering application.
Keeping a record of your relationship with us
We record contact we have with you, so we have a clear understanding of our relationship, how you’ve supported us or have been supported by us in the past. We may also collect and retain your information if you send us feedback about our services, give us a compliment or make a complaint
Understanding how we can improve our services, events, products or information
We believe it’s important to make sure that all of our services are the very best they can be, which is why we evaluate them. Once you’ve used one of our services, taken part in an event, received information, used BRIAN or bought a product, we may get in touch to ask you about your experience. You don’t have to take part but it’s really valuable to help us improve in the future.
To make sure we continue to understand the developing needs of our community, we will securely store the content that is shared across the Four Private Facebook support Groups anonymously in a separate internal database to help us identify the needs of our community and make improvements to our services and information. To do this, we may on occasion make use of trusted external consultants/partnerships for monitoring and gaining insight, the data won’t be shared with any unknown third parties.
Understanding our supporters and working more effectively
We are committed to providing everyone who gets in touch with us with the very best experience, providing you with timely and relevant communications and using our resources effectively.
To do this, we may use profiling techniques to provide us with general information about you, which may include geographic, demographic or other information relating to you to better understand your interests and preferences. This information is compiled, either by our employees or occasionally a third party insights company, using publicly available data or information that you have already provided to us.
Publicly available information may include information found in places such as Companies House, the Charity Commission, LinkedIn, listed Directorships, typical earnings in a given area or published in the media.
By doing this it allows us to understand the background of the people who support us and helps us to make the right requests. Importantly, it helps us to raise more funds, sooner, and more cost-effectively, than we otherwise would.
Safeguarding is everyone’s responsibility, and therefore we have a duty, wherever possible, to share any concerns that we have about conversations, livechats, emails, posts, messages or comments that indicate you or someone else might be at risk, with the relevant services. This includes reference to abuse or neglect.
Though we will always try to share our concerns with you, we reserve the right to share information with external agencies without checking first; especially if it is thought that by sharing our concerns this might put others at, or increase the risks identified.
The law requires us to set out the lawful grounds on which we collect and process your personal information as described in this policy. Depending on the purposes for which we use your data, one or more of the grounds listed below may be relevant.
In certain instances, we collect and use your personal information by relying on the legitimate interest legal basis. In broad terms, our ‘legitimate interests’ means our interest in being able to run The Brain Tumour Charity as a charitable entity effectively in pursuit of our aims and ideals. This includes:
- Sending our regular supporter newsletter, The Grey Matters, by post to keep supporters informed of our work and progress towards our goals.
- Sending direct marketing material to supporters by post for fundraising purposes
- Conducting research to better understand who our supporters are and better target our fundraising activity
- Conducting research to better understand who is using our Support Services and their impact to improve our service offering
- Measure and understand how our audiences respond to a variety of marketing and communications activity so we can ensure our activities and services are well targeted, relevant and effective
- Providing information about brain tumours
- Processing donations
- Administering events
- Staff recruitment and taking applications for volunteers and contacting volunteers about their role
- The use of CCTV recording equipment in and around our premises for monitoring and security purposes
- However ‘legitimate interests’ can also include your interests, such as when you have requested information or certain goods/services from us, and those of third parties
- If we rely on the ‘legitimate interests’ basis to use your personal information, we will only use the information in accordance with the purposes described in this policy.
When we legitimately process your personal information in this way, we also consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws. We will not use your personal information for activities where our interests are overridden by the impact on you, for example, where collection and use of your information would be excessively intrusive (unless, for instance, we are otherwise required or permitted to by law).
In many instances, we will rely on obtaining your consent to our use of your personal information in a certain way (for example, registering for our BRIAN databank, asking for your consent to use your personal information to send you marketing information by email and to share sensitive personal information with us).
We may need to collect, process and disclose personal information to comply with a legal obligation. For example, where we are ordered by a court or regulatory authority or we are legally required to hold donor transaction details for Gift Aid or accounting/tax purposes. We may also use personal information to cross check and prevent known malicious activities on The Brain Tumour Charity’s websites.
Performance of a contract
For example if you purchase something from our online shop, apply for a grant from us or agree to work for us, we need to be able to process your information for the purpose of meeting our contractual obligations.
Communicating with you
If you have provided us with your postal address we may send you direct mail, including The Grey Matters newsletter, which will include updates on our work - the research we’re funding, the information and support services we offer and our early diagnosis work. We may also contact you about fundraising, campaigning, events and trading. We do not ask for consent to write or call you about these things, because, as a charity, each of these activities is fundamental to how we work, so we have a legitimate interest to contact you. However, you have the option to opt-out of receiving marketing communications by post or phone at any time by contacting our Central Operations team by writing to us at our Head Office address, emailing firstname.lastname@example.org or calling us on 01252 237792.
We will only send you marketing communications by email if you have consented to receive these. You can unsubscribe at any time by clicking on the unsubscribe link in our marketing emails. Our mass email service allows us to track who has opened our e-newsletter and what links have been clicked on. This allows us to monitor what information is most useful to improve our content and information in future.
If you have indicated you do not wish to be contacted by us for marketing purposes, we will retain your details on a ‘do not contact’ list to help ensure that we do not contact you accidentally. However, we may still need to contact you if you carry on dealing with us, including (but not limited to):
- Processing a donation you make or any continuing Direct Debit
- Providing you with information you need in order to participate in an activity, event or campaign for which you have registered
- Sending you information you’ve requested or shop orders placed
- Explaining and apologising where we have made a mistake
- Dealing with future legal claims in connection with a contract we have with you.
When you give us your details, you agree to us recording your details on our secure database, so we can provide you with the best possible service every time you contact us. We hold your personal information for as long as required to provide you with the information or services you have requested, to administer your relationship with us, to inform our research into brain tumours, to inform our supporters’ preferences, to comply with the law or to ensure we do not communicate with people who no longer wish to hear from us.
We have adopted a data retention policy that sets out the different periods we retain personal information for in respect of these relevant purposes. The criteria we use for determining these retention periods is based on various legal requirements; the purpose for which we hold data and whether there is a legitimate reason for continuing to store it (such as in order to deal with any future legal disputes); and guidance issued by relevant regulatory authorities including, but not limited to, the Information Commissioner's Office (ICO).
Personal information that we no longer need is securely disposed of and/or anonymised so you can no longer be identified from it. Some personal information may be retained by us in archives for statistical or historical research purposes although we will do this in a manner that complies with applicable data protection law.
We continually review what personal information and records that we hold, and delete what is no longer required. We never store payment card data after the transaction has been completed.
The Brain Tumour Charity holds its data on secure databases which are hosted in the UK or EU. Access to this system is limited and there is restricted access to data based on a person's role in the organisation.
The Brain Tumour Charity's digital files are stored on a terminal server hosted by Bluecube Technology Solutions at a data centre in the UK. Access to this data centre is restricted.
Our third party suppliers store data in the UK or EU, with the following exceptions:
- Our online shop is hosted by BigCommerce, who store data in the USA. If you create an account with them, you can manage your personal data online.
- Our online events registration platform, Eventbrite, who store data in the USA. If you create an account with them, you can manage your personal data online.
- Our survey tool, SurveyMonkey, who store data in the USA.
- Our marketing automation tool, Marketing Cloud by Salesforce, who store data in the USA.
- Our booking system for our Benefits Clinic, Acuity Scheduling, who store data in the USA.
The BRIAN web & mobile app database is hosted by Microsoft Azure at a datacentre in the UK. Access to this data centre is restricted.
The BRIAN mobile app stores your name, date of birth, gender and email address in a secure, encrypted storage location on your device.
Where we engage with organisations outside of the UK or EU, we will endeavour to ensure that the processing of your data is subject to appropriate security measures. All of our current suppliers adhere to the EU-US Privacy Shield – you can find out more: https://www.privacyshield.gov/welcome
In line with the principles defined in the Data Protection Act 2018 and the General Data Protection Regulation (GDPR), The Brain Tumour Charity will ensure that personal data will be processed in ways that are:
- Lawful, fair and transparent
- Collected for specific explicit and legitimate purposes
- Adequate, relevant and limited
- Accurate and up-to-date
- Not kept for longer than necessary
Your details will be kept securely and only shared with trusted suppliers, who have a contract with us, who enable us to deliver our charitable objectives, for example, distribution of our newsletter or if required to by law, i.e. with the police or a regulatory body. At all times we remain legally responsible for your data. We never share your data with any third parties for their own marketing or commercial purposes, including charities.
We participate in Facebook’s Custom Audience and Lookalike Audience programs so that you can receive relevant ads from us when you use Facebook, and so that we can raise awareness among users of Facebook who share similar interests to you. We provide personal information such as your email address to Facebook to enable them to determine if you are a registered account holder with Facebook. Our adverts may then appear when you access Facebook and on your Facebook feed. Your data is sent in an encrypted format that is deleted by Facebook if it does not match with a Facebook account. For more information please read the Facebook Business page about Custom Audiences and Facebook’s Data Policy.
Cookies, web beacons and similar technologies
You may be able to opt-out of third party advertising technologies (including cookies) which remember your browsing habits and try and display relevant advertising when you use our websites, app(s) or services by visiting www.youronlinechoices.com/uk/your-ad-choices. If you choose to turn off these technologies, we may still serve you ads but these ads are unlikely to be tailored to your interests.
We use the information we gather to help improve the experience and personalisation of our website. For example, they help us to identify and resolve errors, or to determine the most relevant information and services to show our visitors in the future.
Under UK data protection law, you have rights over personal information that we hold about you. These are summarised below.
Right to be informed
You have the right to be told how your personal information will be used. This policy and other policies and statements used on this website and in our communications are intended to provide you with a clear and transparent description of how your personal information may be used.
Right to access your personal information
You have a right to access certain personal data being kept about them, either physically or digitally. Anyone who wishes to exercise this right should apply, in writing, to the Data Protection Officer at The Brain Tumour Charity, Fleet 27, Rye Close, Fleet, Hampshire GU51 2UH or email@example.com. Please include details of the information you wish to access. The Charity will respond within 30 days, providing that the request includes appropriate contact details, proof of identity from the individual and we can validate the request.
Right to have your inaccurate personal information corrected
You have the right to have inaccurate or incomplete information we hold about you corrected. If you believe the information we hold about you is inaccurate or incomplete, please provide us with details and we will investigate and, where applicable, correct any inaccuracies. If the information has been provided to us by the NHS as part of the BRIAN databank, you will need to contact them to have their records amended.
Right to restrict use of your personal information
You have a right to ask us to restrict the processing of some or all of your personal information in the following situations: if some information we hold on you isn’t right; we’re not lawfully allowed to use it; you need us to retain your information in order for you to establish, exercise or defend a legal claim; or you believe your privacy rights outweigh our legitimate interests to use your information for a particular purpose and you have objected to us doing so.
Right to erasure of your personal information
You may ask us to delete some or all of your personal information and in certain cases, and subject to certain exceptions (i.e. if we have to hold on to it to meet a legal obligation), you have the right for this to be done.
Right for your personal information to be portable
If we are processing your personal information (1) based on your consent, or in order to enter into or carry out a contract with you, and (2) the processing is being done by automated means, you may ask us to provide it to you or another service provider in a machine-readable format.
Right to object to the use of your personal information
If we are processing your personal information based on our legitimate interests or for scientific/ historical research or statistics, you have a right to object to our use of your information. If we are processing your personal information for direct marketing purposes, and you wish to object, we will stop processing your information for these purposes as soon as reasonably possible.
If you want to exercise any of the above rights, please contact our Central Operations team at The Brain Tumour Charity, Fleet 27, Rye Close, Fleet, Hampshire GU51 2UH or by email: firstname.lastname@example.org We may be required to ask for further information and/or evidence of identity. We will endeavour to respond fully to all requests within 30 days of receipt of your request, however if we are unable to do so we will contact you with reasons for the delay.
Please note that exceptions apply to a number of these rights, and not all rights will be applicable in all circumstances. For more details we recommend you consult the guidance published by the Information Commissioner’s Office in their 'Your Data Matters' guidance for individuals.
Where possible we use publicly available sources to keep your records up-to-date, for example, the Post Office’s National Change of Address database and the National Bereavement Register. However, we really appreciate it if you let us know if your contact details or circumstances change. Just contact our Central Operations team at email@example.com or call us on 01252 237792 and we will update our records.
Your personal preferences and keeping your data accurate is of utmost importance to us.
If at any stage you do not want to hear from us, want to change your contact preferences or want to update your details, you can email firstname.lastname@example.org, call us on 01252 237792 or write to our Central Operations team at The Brain Tumour Charity, Fleet 27, Rye Close, Fleet, Hampshire, GU51 2UH.
Any marketing email we send you will contain information about how to unsubscribe from email marketing communications. During any phone, email or LiveChat conversation you have with us, please feel free to let us know how you prefer to be contacted.
If you are unhappy at any time about the way we process and/or use your personal information, please contact The Charity’s Data Protection Officer who will investigate your concerns. Please write to them at The Brain Tumour Charity, Fleet 27, Rye Close, Fleet, Hampshire GU51 2UH, email email@example.com or call 01252 749990.
If we are relying on Legitimate Interests to process your data, or we are implementing a new project or system relating to personal data, we carry out a Legitimate Interest Assessment or a Data Protection Impact Assessment. If you would like to see a copy of a specific assessment, please get in touch with our Data Protection Officer as above.
We appreciate the opportunity your feedback gives us to learn and improve. Find out more in our Complaints Policy.
If you are unhappy with the way your (or your child's) data are being processed, and we have been unable to satisfactorily resolve your concern, you have the right to complain to the Information Commissioner's Office (ICO): www.ico.org.uk