At Cystic Fibrosis Trust, we are committed to protecting your personal information and being transparent about what we do with it. We will use your personal information in accordance with all applicable laws concerning the protection of personal information and not do anything with your information you wouldn’t reasonably expect.
- Who are we
- How we get your personal information
- What information we collect
- How we use your information
- How we will communicate with you
- What 'consent' and 'preferences' are
- Who we share your information with
- Social media
- Information and support services
- Your rights
Who are we?
In this policy references to Cystic Fibrosis Trust, or the Trust, or to ‘we’ or ‘us’ are to Cystic Fibrosis Trust which is a registered charity in England and Wales 1079049, and in Scotland SC040196.
Cystic Fibrosis Trust is what’s known as the ‘controller’ of the personal data you provide to us. We will usually collect basic personal data about you like your name, postal address, telephone number, email address and your bank details, if you are giving us a donation for example.
Sometimes we will collect other information about you such as your date of birth, gender, or your relationship to cystic fibrosis. We will always be very clear with you about the reasons why we may wish to collect such information, and we will only do so with your specific consent and permission.
Sometimes we appoint third parties to take on tasks for us like managing the production of print materials for delivery, including CF Life magazine, as well as the storage and delivery of fundraising materials. These third parties are known as 'Data Processors'.
Where we appoint a third party to process data, it will always be with a formal agreement in place between Cystic Fibrosis Trust and that organisation, to protect the security of your data. See the section ‘who we share your information with’
If you would like a list of processors you can request it by contacting the Data Protection Officer at email@example.com.
Regional Fundraising Volunteers
We may change this document from time to time to reflect the latest view of what we do with your information. Please check back frequently; you will be able to see if changes have been made by the date the Policy was last updated at the end of the document.
Cystic Fibrosis Trust (“we”) is committed to ensuring your data is kept safe and will be accessed only when there is a clear need. We will also ensure that your preferences for how we contact you with marketing communications are respected. All staff receive data protection training, and relevant safeguards and policies are in place.
Privacy, confidentiality – what does it all mean?
We use your data in a number of ways based on the law and what you tell us you’re happy for us to do with it. We’re committed to keeping your details safe, and to making sure it’s easy to understand what we do with them. How we contact you with marketing communications is up to you. You can use the links below to explore the different elements of our Policy.
By ‘confidentiality’, we mean that we will only access or process your data when there is a clear need, or where you have given express consent to be contacted.
How do we get your personal information?We collect your personal information in several ways:
- When you provide it to us directly. You may give us your information to sign up for one of our events; when you contact us to ask about our activities or to tell us your story; if you order products from us, seek assistance, (e.g. contacting our information and support services), or enquire about being a volunteer; when you make a donation to us, fundraise on our behalf, or otherwise give us personal information.
- When we collect it as you use our websites. (see ‘Cookies’).
- When you have given it to a third party and you have provided permission to pass your information on to us. For example, if you register for the Virgin London Marathon and select Cystic Fibrosis Trust as your charity. When providing permission for third party organisations to share your data you should check their Privacy Policies carefully to understand fully how they will process your data.
- From publicly available sources. (where possible) to keep your information up to date (e.g. Companies House).
We combine the information from these sources with the information you provide to us directly.
What are cookies?
Cookies are a text-only string of information that we pass to your computer's hard disk through your web browser so that our website can remember you. Most cookies help us understand how people use our website and services so we can continue to make it better. Some cookies are however necessary for our website to work properly (such as remembering items added to an order or providing website security).
As we respect your right to privacy, our website allows you to choose not to accept some types of cookies (those that are not ‘strictly necessary’), including those used to better target advertising or improve the performance of the website. Our cookie notification pops up when you first enter our website (you’ve probably already clicked to dismiss it when you arrived here today).
If you would like read more about the Trust’s Cookies Policy, including the specific cookies we use and why, please see: https://www.cysticfibrosis.org.uk/our-cookie-policy/
What information do we collect?
We collect personal information in connection with specific things we do. These include campaign actions, newsletter requests, registration or membership requests, product purchases, feedback, donations, competition entries, information you provide in public forums, on our sites and applications.
The information is either needed to fulfil your request or to enable us to provide you with a more personalised service. You don't have to disclose any of this information to browse our sites. However, if you choose to withhold requested information, we may not be able to provide you with certain services.
We may research and gather geographic, demographic and other data that helps us better understand your interests and preferences, and better support your needs. In the process, we may use additional publicly available information, which may be gathered by a third party. This is sometimes referred to as ‘profiling’ (see ‘Building profiles and targeting communications). This does not make any automated decisions, but you may ask us to remove any such data we hold at any time.
We might also use anonymised data (that is data with any personal information removed so that you cannot be identified) from cookies to make sure our website is easy to navigate and you see the information that’s most relevant to you. You can find out more about cookies.
How do we use your information?
Depending on how we receive this information (see ‘How do you obtain my personal information?’) we may process it in various ways. For example, if you’ve requested information by filling in a form, we use it to ensure we’re sending you what you’ve asked for; if you make a donation, we need some personal data to process the payment.
When we collect your data we may ask you for permission to send you information about our work or our products or services that we think you would be interested in. This is known as 'marketing communications' (see ‘Consent and preferences’).
There are a number of ways that we may use your personal information:
- If you contacted our Helpline or our information and support services, we may use your personal information to give you the information, support, services, or products you ask for.
- We use your information to gain a full understanding of your situation so we can develop and offer you the best possible personalised services.
- We use your information to keep a record of your relationship with us and for internal administrative purposes (such as our accounting and records), and to let you know about changes to our services or policies.
- We use your personal information to look into, and respond to, complaints, legal claims or other issues.
- We use your personal information to claim Gift Aid on your donations.
- We use personal data to carry out statistical analysis and research in order to help us to understand how we are performing and how we can improve our services and meet the needs of people that require our help.
Marketing communications could include providing information about the work that we do and how we spend money, or opportunities to get involved in our work or to support us through donations or fundraising.
We may use your information to send you communications about our work and how you can help, for example, information about our campaigns, volunteering and fundraising activities and how you can donate to us. Occasionally, we may include information from partner organisations or organisations who support us in these communications. Our forms have clear marketing preference questions and we include information on how you can say no to such marketing.
Sensitive personal data
Data Protection Law recognises that certain categories of personal information are more sensitive. This is known as 'sensitive personal data' and covers health information, race, religious beliefs, genetic and biometric data and political opinions.
Sometimes we will ask to collect other information about you such as your gender and connection to cystic fibrosis – for example whether you are living with the condition yourself, or perhaps you have a child or relative with the condition. You do not have to provide this information if you do not wish to do so. We hold this information on our database so that we can tailor our communications to you – including information and support services and fundraising materials. We can also use this to evaluate how we are engaging with the different elements of our community, and to help prevent cross-infection for those with cystic fibrosis at events.
We will be very clear with you when we wish to collect such information and will explain our reason for collecting it. We would only collect this information with your specific consent.
Building profiles and targeting communications
Why do we research and analyse data?
The Trust may research, gather and analyse data to better support your needs, to produce relevant communications and provide a better experience for our supporters. We do this because it allows us to understand the background of the people who support us and use our services and helps us to make appropriate requests to supporters who may be able and willing to give more than they already do or to tailor our services to better suit them. This research and analysis can help us target our resources more effectively through gaining an insight into the background of our supporters and helping us to build relationships that are appropriate to their interests and capacity to give.
What methods do we use for data research?
We may use publicly available sources of data to increase and enhance the information we hold about you. This may include obtaining details of changes of address, date of birth, telephone numbers and other contact details, information related to your wealth, and consumption and demographic data generated through the MOSAIC geodemographic tool. It may also include information from public registers and other publicly available sources such as Companies House, newspapers and magazines.
Under Data Protection Law we have a number of lawful reasons that we can use (or 'process') your personal information. One of the lawful reasons is called 'legitimate interests'.
In all cases, we balance our legitimate interests against your rights as an individual and make sure we only use personal information in a way or for a purpose that you would reasonably expect in accordance with this Policy and that does not intrude on your privacy or previously expressed marketing preferences. These may include being able to:
- send materials to you by post or contacting you by telephone for fundraising purposes (subject to checking against the Telephone Preference Service and any existing marketing preferences);
- conduct research to better understand who our supporters are and better target our fundraising activity, as well as better understand the priorities and needs of the UK cystic fibrosis community;
- monitor who we deal with to protect our charity against fraud, money laundering and other risks;
- maintain and administer our donor database.
Where we process sensitive personal data (see Sensitive personal data), we will make sure that we only do so in accordance with one of the additional lawful grounds for processing such as where we have your explicit consent, if you have made that information manifestly public or we need to process this information to protect your vital interests. When we do this, we will tell you what sensitive personal data we are collecting and why.
When I give you my information, where does it go?
If we ask you for personal information at any point, you are only sharing that information with Cystic Fibrosis Trust alone, unless otherwise stated. All the personal data we process is processed by our staff in the UK however for the purposes of IT hosting and maintenance your information may be situated outside of the European Economic Area (EEA). This will be done in accordance with guidance issued by the Information Commissioner’s Office.
Making changes to how we use your information
If you do not wish your data to be used in any of the ways listed above or have questions about this you can call 020 3795 2177 or email firstname.lastname@example.org. You can withdraw or amend your consent at any time, and you can also manage your preferences by visiting https://preferences.cysticfibrosis.org.uk/. You will also be offered the opportunity to unsubscribe on every marketing email.
How will we communicate with you?
We want to ensure you receive the level of information about the Trust that is right for you.
Email/text marketing: If you actively provide your consent to us along with your email address and/or mobile phone number, we may contact you for marketing purposes by email or text message. By subscribing to our emails or opting in to email communication from us, you grant us the right to use the email address provided for both email marketing purposes and targetted advertising
Post/telephone marketing: If you have provided us with your postal address or telephone number we may send you marketing communications or telephone you about our work, unless you have told us that you would prefer not to receive such information. We actively check telephone numbers against the Telephone Preference Service and will only make telephone calls to you where your telephone number is listed on the TPS if you have specifically told us that you do not object to such calls and have consented to receive them.
Your choice: It is always your choice as to whether you want to receive information about our work, how we raise money and the ways you can get involved. If you do not want us to use your personal information in these ways, please indicate your preferences on the form on which we collect your data.
If you don’t want to receive some or any of these marketing communications, you can let us know how you would like us to contact you (or not) by calling 020 3795 2177 or emailing email@example.com or visiting https://preferences.cysticfibrosis.org.uk/. You will also be offered the opportunity to unsubscribe on every marketing email.
What do you mean by ‘consent’ and ‘preferences’?
We require your consent to contact you by email or SMS with marketing communications. This means that we will ask your permission to contact you by these channels. You have the right to change your mind and withdraw consent at any time.
In addition to email and SMS, we would also like to contact you by post or telephone. You can express your preference for whether or not you would like to receive marketing communications from us in this way.
You can change the way you would like to hear from us (either your consent or preference) on our portal at any time.
What can I opt in or out of?
It is important that you let us know what works for you. We need your consent to process any personally identifiable information we have for you for any reason other than compliance with the law. For example, sending you our e-newsletter or e-magazine to keep you updated about our work, asking you to take part in a campaign action such as a petition lobbying the Government, or as part of demographic analysis to understand our community.
You can change or withdraw your consent or update your channel preferences at any time, either online at https://preferences.cysticfibrosis.org.uk/, or by contacting our Supporter Care team at 0203 7952 177 or email firstname.lastname@example.org. You will also be given the opportunity to unsubscribe on every marketing email.
How long will you hold my data?
We hold your information only as long as necessary for each purpose we use it, or in line with any statutory minimum retention periods required by law.If you decide not to support the Trust any more or request that we have no further contact with you, we will keep some basic information in order to avoid sending you unwanted materials in the future and to ensure that we don’t accidentally duplicate information.
We will deem your consent to last for seven years from your last active engagement with us (ie: for seven years from your last communication with us, or from taking part in an event or making a donation).
Who do we share your information with?
There may be instances where we are required to share your information with a third party. We only disclose information to third parties or individuals when obliged to by law, for purposes of national security, taxation and criminal investigations, and the following:
- If you have agreed that we may do so.
- When we use third party companies to provide services on our behalf, e.g. processing, mailing or delivering orders, answering customers’ questions about products or services, sending mail and emails, customer analysis, assessment and profiling, when using auditors/advisors or processing credit/debit card payments.
- If we receive a complaint about any content you have posted or transmitted to or from one of our sites, to enforce or apply our Terms & Conditions or if we believe that we need to do so to protect and defend the rights, property or personal safety of Cystic Fibrosis Trust, our websites or our visitors and for other lawful purposes.
- If we merge with another organisation to form a new entity, information may be transferred to the new entity.
- We may disclose aggregate, anonymised statistics about our site visitors, supporters, customers and sales to describe our services and operations to prospective partners, advertisers and other reputable third parties and for other lawful purposes. These statistics won’t include any personally identifying information.
- If we run an event in partnership with other named organisations your details may need to be shared. We will be very clear what will happen to your data when you register for the event.
- And, we will never sell or rent your personal information to other organisations.
Your information will be stored on our supporter database, and in the case of an online form, the content management system for our website. In certain circumstances data may be stored on a ‘cloud’ system so that colleagues may be able to access it – for example, checking a mailing list for our CF Life magazine.
If you are under 13 years old, you will need to obtain your parent/guardian's consent before sending any personal information to our website or Cystic Fibrosis Trust. We do have activities for those under 16, so we may ask your age. Before taking part please obtain consent from your parent or guardian. We will require proof of consent or age verification before accepting applications. The sole exception to this is Cystic Fibrosis Trust’s confidential Helpline, which is open to those under 13 without requiring prior parental consent, in line with data protection law.
Please note that we will not knowingly market to persons aged under 18 years, with the exception of our youth programme work.
As a parent or guardian, we encourage you to be aware of the activities in which your children are participating, both offline and online. If your children voluntarily disclose information, this may encourage unrequested messages. We suggest that you discourage your child from providing any information without your consent.
If you have any questions about how your child’s data is handled, please contact email@example.com or call 020 8464 7211. Children under 16 will be able to register at https://preferences.cysticfibrosis.org.uk/ but will not be able to update their preferences, and this will require the parent/guardian to contact us.
Using your data on the web and social media
To ensure cost-effective marketing communications, and to deliver the best experience for our supporters, we engage in targeted content and advertising using our website, social media platforms and other services.
To do this, we may use the personal information you have provided to us via one platform (such as on our website, via email or on a social media channel) to send you personalised content and messaging on another. Examples of this activity include using our website cookies in an anonymised way (not identifying you personally) and social media advertising.
We will only target you with advertising on social media using your data if you have consented to such usage, however you may still see our social media advertising via other means, where we cannot exclude individuals.
Information & support services
There are many ways that you can contact us to ask for information, support or help. The helpline is part of our support service, which also includes peer to peer support through CF Connect, welfare and rights advice and welfare grants, as well as any other activities carried out by the Trust to provide support to people affected by cystic fibrosis (CF) including adults and children with CF, friends, family, partners and carers.
All Helpline records and correspondence, as well as all documents and correspondence relating to any other support service activities are treated as confidential and only accessible to the Support Services team.
How do we keep your information confidential?
- Information is stored in confidential folders, to which only the support service team has access.
- Paper information is uploaded to secure electronic folders, and paper copies disposed of in through the Trust’s confidential shredding process.
- We ask for your permission before forwarding emails on to members of staff outside the support service team.
- Welfare grants data is stored on the Trust’s central database, but in a secure area which is only accessible by the support service team.
- Incoming post marked for the support service team is opened by the team only.
- If we need to add your data to our secure database, we will ask for your consent as to how we use or process your data. If we don’t have the opportunity to ask you and you have not been in touch with the Trust previously, you will not receive any marketing materials from us, we will exclude you from all mailings. You can change your mailing preferences at any time by contacting our Supporter Care team on 020 3795 2177 or email firstname.lastname@example.org.
- We will not discuss your contact with us, or disclose that you have been in touch with us, to your clinical team or anyone else who contacts us.
- If we need to speak to internal colleagues or our Clinical Advisory Group in order to find answers to your query, we will do this without revealing your name or any identifying information.
- Your telephone number may be visible to us when we take your call. You may wish to withhold your number. Unless you leave us a message asking for a call back or give your specific permission, we will not record or call you back on this number, or use it to identify you if you make an anonymous call.
- Unless you specifically ask us to or give your permission, we will not leave voicemail/answer phone messages if and when we call you back, even if you have asked us to call you.
The above represents our intention to maintain your confidentiality, but for all of the above points there may be times when we need to share information internally or externally:
- If we believe there is a significant risk of harm to you, or someone else. Please see our Safeguarding Policy for further details.
- If you specifically ask us to contact someone else on your behalf. We will usually ask for your written permission (which can be in an email) to do this.
- To gather further information from an endorser if you apply for a grant. This is made clear on our grant forms.
When you visit the Trust’s online store, we need to collect and process certain information from you in order to process and fulfil your order. Our ‘lawful under dData pProtection lLaw for doing this, is to fulfil our contract (ie: your order) with you. This may include:
- Information about your device, browser and IP address, as well as what products you view and how you interact with the store (such as search terms). This is in order to load the store properly for you, as well as to understand how you and others are using the site so it can be improved.
- Information necessary to process your order, such as name, billing and shipping addresses, payment information, card details, email address and phone number. This is so we can fulfil your order, process your payment, arrange for shipping, provide customer support as needed, as well as provide you with information or advertising relating to our products, services or work.
In order to comply with the principles set out in the Information Commissioner’s Office “Children’s Code”, our store also includes an age confirmation mechanism, to allow us to know if a customer is under 18, and to put in place additional protections around their data.
What are my rights?
Data Protection Law, starting in May 2018, gives everyone a number of very important rights. These are:
- Transparency over how we use your personal information (right to be informed).
- Request a copy of the information we hold about you, which will be provided to you within one month (right of access).
- Update or amend the information we hold about you if it is wrong (right of rectification).
- Request the deletion or removal of your personal data when there is no compelling reason to continue processing it (the right to erasure)
- Ask us to stop using your information (right to restrict processing).
- Ask us to remove your personal information from our records (right to be 'forgotten').
- Object to the processing of your information for marketing purposes (right to object).
- Obtain and reuse your personal data for your own purposes (right to data portability).
- Not be subject to a decision when it is based on automated processing (automated decision making and profiling).
If you would like to know more about your rights under Data Protection Law see the Information Commissioners Office website.
How do I keep my details up to date?
The accuracy of your information is important to us. If you change your address or believe any of the other information we hold concerning you is out of date, please let our Supporter Care team know, or write to: Cystic Fibrosis Trust, One Aldgate, Second floor, London EC3N 1RE. Again, you can also manage your details online by visiting https://preferences.cysticfibrosis.org.uk/.
How do I find out what data you hold about me?
As an individual, you have a right under the current Data Protection Act 1998, and from May 2018 the new regulations, to obtain information from us, including a description of the data that we hold on you. For more information about this please contact the Data Protection Officer, Cystic Fibrosis Trust, One Aldgate, Second floor, London EC3N 1RE. You can submit a request to see what information we hold about you by email, social media, SMS text message, post or phone (although you may be asked to follow up with a request in writing).
Right to complain
If you would like to complain about our handling of your data, you can contact the Trust’sData Protection Officer:
Cystic Fibrosis Trust
Phone: 0203 795 2188
You will receive an acknowledgement from us within two working days of your complaint being received.
If you would like to find out more about your information rights under data protection legislation, including the right to complain to the Information Commissioner’s Office (ICO), you can find more information at the ICO website: https://ico.org.uk/concerns/
How do you maintain confidentiality when I contact you?
We take every measure available to protect the confidentiality of our users. Enquiries you make may appear on the site anonymously, for example in the form of ‘frequently asked questions’, so the answers can help other people. Any names or personal details will be changed to maintain your confidentiality.
If you contact our confidential Helpline and we need to add your data to our secure database, we will ask for your preferences on how we use your data. If we don’t have the opportunity to ask you and you have not been in touch with the Trust previously, we will exclude you from all mailings.
Last Revised: 17 June 2022