Your privacy: our commitment to you
At Roy Castle Lung Cancer Foundation, we are committed to protecting your personal data.
In this policy, you’ll find important information about your personal rights to privacy, and how and why we use your personal information.
The details you provide will be used only by Roy Castle Lung Cancer Foundation and its trading company.
We will never swap, share or sell your details.
It’s up to you whether you choose to give us your personal information; but if you don’t, we may not be able to give you a complete service.
We’ve recently updated this policy to reflect the changes we’ve made to be compliant with the General Data Protection Regulation (GDPR) which came into force on 25 May 2018.
The main changes are that we have now:
- set out the rights you have regarding your data, such as your right to access or amend it
- detailed the ways in which we collect, store, share and use personal data and why
- set out the lawful grounds we rely on to process your data
- described how long we retain information
- clarified that we may collect sensitive personal information, if we have a valid reason to do so and permitted under the GDPR
- incorporated more information about why and how we collect, store, share and use patient data
If you have any questions about these changes, please contact us and we'll be happy to help.
What “Roy Castle Lung Cancer Foundation” means
Our promise to keep your information safe
We are committed to protecting your privacy. We promise to respect any personal information you share with us or that we receive from other organisations and we promise to keep it safe.
How we process your data
This policy sets out how we process your data. It also explains your rights and options around how we use your personal information.
What is personal information?
We collect, store and use the following kinds of personal information:
- Your name and contact details, including postal address, telephone number, email address and, where applicable, social media profile URL
- Your date of birth
- Financial information, such as bank details or credit/debit card details, where you provide them to make a payment. We don't store credit or debit card details, but we're required to store bank details in some circumstances, including when they're used for direct debit payments.
- Information about your computer/mobile device and your visits to and use of this website, including for example your IP address and geographical location
- Information about our services which you use/which we consider of interest to you
- Information as to whether you are a tax payer so that we can claim Gift Aid.
What is sensitive personal information (special category data)?
The General Data Protection Regulation (“GDPR”) recognises certain categories of personal information as sensitive and therefore requiring more protection.
For example, this includes information about your health, religious beliefs, ethnicity and political opinions.
While providing support to lung cancer patients, we routinely collect sensitive personal data. In other limited cases, we may collect and/or use your sensitive personal information.
In each case, we will only do so if we have a valid reason and the GDPR permits it, as described in how and why we will we use your personal information.
We collect information about you:
...when you give it to us directly
This might be when you:
- interact with us online
- register with us to take part in our activities or information days
- ask about our activities
- make a donation
- seek information or assistance from us
- buy something from our online retail shop
- register for Gift Aid to help us
- apply to work or volunteer for us
- give us your personal information in any other way, for example if you share your story with us to help us to raise awareness of lung cancer and/or the charity.
We may also obtain information about you from other sources, such as if a family member or friend contacts us on your behalf, or if a fundraiser passes on your details to us
...when you give it to us indirectly
This is when your personal information is given to us by third parties. These might be:
- websites such as, but not limited to, JustGiving, Virgin Money Giving, Everyday Hero or BT My Donate
- business partners
- sub-contractors in technical, payment and delivery services
- event organisers such as, but not limited to, Tough Mudder, Global Adventure Challenges, Ride London, Time Outdoors, Run Britain, The Skydive Centre, Run4Charity, Action Challenge, Payroll Giving
- when you register interest or sign up for an event or commit to making a donation through your monthly salary
- advertising networks
- analytics providers and search information providers.
Third party organisations who collect data on our behalf
We work with a number of external organisations who collect data on our behalf. These include, but are not limited to,
- Time Outdoors
- Action Challenge
- Skydive Centre
- Global Adventure Challenges
- Real Buzz
- Classic Tours
Information and Support Services
- National Lung Cancer Forum
- Health Unlocked
- Just Giving
- BT My Donate
- Payroll Giving in Action
- Sharing the caring
- Hands-On Payroll Giving
We have given permission to organisations such as these to collect data on our behalf and, unless you specify otherwise, they will share that data with us.
You’ll always hear from them when this happens, and you’ll be told how and why we intend to use that information.
You might tell us through a third-party website (such as the London Marathon) that you’d like to fundraise for Roy Castle Lung Cancer Foundation by taking part in an event. When this happens, we’ll contact you by phone or email to check how you’d like to hear from us in the future, and to offer you support with your fundraising efforts.
...when it’s available publicly
Some information about you may be in the public domain, using public registers such as Companies House, the electoral roll and press reports. For example:
- whether you have charitable interests
- to establish possible common connections between our network and yours
- Depending on your privacy settings for professional services such as LinkedIn.
...when you visit this website
When you visit this website, we automatically collect the following personal information:
technical information, including:
- the internet protocol (IP) address used to connect your computer to the internet
- your browser type and version
- your time zone setting
- browser plug-in types and versions
- your operating systems and platforms
information about your visit to our website, including:
- the uniform resource locator (URL) clickstream to, through and from this site (including date and time)
- products/services you viewed and searched for
- page response times
- download errors
- length of visits to certain pages
- referral sources (how you arrived at the website)
- page interaction information (such as scrolling and clicks)
- methods used to browse away from the page.
We will only contact you through social media sites such as Facebook, Linked In, Instagram or Twitter if your privacy settings give us access to your contact details.
Our online retail shop is hosted by a third-party organisation that provides the platform that enables us to sell our products and services to you. Your data is stored on their own databases on a secure server. Payments adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, a joint effort of brands like Visa and Mastercard. Payments made by PayPal also adhere to these standards.
How and why do we use your personal information?
We use your personal information to:
- provide you with services, products or information you’ve asked us for
- provide further information about our work, services, activities or products
- allow you to purchase goods
- process your donations
- to help us claim Gift Aid on your donations
- further our charitable aims, including for fundraising activities
- research the impact and effectiveness of our work and services
- register, administer and personalise online accounts
- register and administer your participation in events you’ve registered for
- administer and keep our website safe and secure and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes
- improve your interactions with our website, for example by making sure that content is presented in the most relevant and effective manner for you and for your computer/mobile device
- report on the results and impact of our work, services and events
- analyse and improve our work, services, activities, products or information (including our website) or for our internal records
- use IP addresses and monitor website use to identify locations, block disruptive use, record website traffic or personalise the way information is presented to you
- process your application for a job or volunteer role with us
- support training and/or quality control
- audit and/or administer our accounts
- satisfy legal obligations which are binding on us, for example arising from contracts entered into between you and us or in relation to regulatory, government and/or law enforcement bodies with whom we may work
- prevent fraud, misuse of services or money laundering and to perform due diligence in respect of larger donations
- reduce credit risk
- establish defence and/or enforcement of legal claims
- let you know about changes to our services or policies
- communicate with you in any other way
- help us improve the quality of our services.
How creating a record for you helps us to be more relevant
We may use your personal information to create a record of your interests and preferences
This means we can make our contact with you more relevant, timely and appropriate.
It also helps us understand the background of our supporters to help us make sure that what we’re asking is appropriate.
Marketing to you and talking about fundraising
We use your details to give you information about our work, events, services and/or products which we think might interest you.
For example, we might contact you about goods or services you’ve purchased or used in the past, or send you updates about our fundraising appeals, volunteering opportunities and latest campaigns.
Where we do this via email, SMS or phone (if you are registered with the telephone preference service), we’ll only do this with your prior consent.
Donations and other payments
When you use our secure online donation or payment pages, you’ll be directed to a specialist supplier company, who will receive your credit card number and contact information to process the transaction. We don’t retain your credit or debit card details.
Where we capture children’s data online, we’ll seek parental consent for any children under 16. We won’t actively market to under 18s.
How long do we keep your personal information?
In general, if we no longer need your information for the reasons you gave it to us, we remove your personal information from our records six years after the date it was collected. But we’ll remove it sooner if:
- your personal information is no longer required for the purpose you shared it with us
- we’re no longer lawfully entitled to process it
- you ask us to remove it.
What happens if you ask for your data to be removed?
If you ask to receive no further contact from us, we’ll keep some basic information about you to make sure we don’t send you unwanted materials in the future.
Our lawful grounds for processing your information
The GDPR requires us to rely on one or more lawful grounds to process your personal information. These are the grounds we think are relevant.
- Where you’ve given your consent for us to use your personal information in a certain way
- For example, we’ll ask for your consent to use your personal information to send you electronic direct marketing/fundraising, and we may ask for your explicit consent to share sensitive personal information with us
- Where necessary so that we can comply with a legal obligation (for example, where we need to share your personal information with regulatory bodies which govern our work and services)
- Where necessary for the performance of a contract we have with you or to take steps before entering a contract (for example, if you purchase something from our online shop or apply to work for/volunteer with us)
- Where it is in your/someone else’s vital interests
- Where there is a legitimate interest in us doing so (for example, writing to supporters to let them know about our work and ways of supporting us).
What do we mean by ‘legitimate interests’?
The GDPR allows us to collect and process your personal information if it is reasonably necessary to achieve our or others’ legitimate interests, providing that processing is fair, balanced and does not unduly impact your rights.
Our legitimate interests
In broad terms, our “legitimate interests” means running Roy Castle Lung Cancer Foundation as a charitable entity in pursuit of our aims and ideals. For example, by:
- providing information about lung cancer
- processing donations
- administering events
- taking applications for staff and volunteers.
Your legitimate interests
“Legitimate interests” can also include your interests, such as when you have requested information or certain goods or services from us, and those of third parties (for example, beneficiaries of our work and services).
How do we balance these interests?
When we legitimately process your personal information in this way, we consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws.
We won’t use your personal information for activities where our interests are overridden by the impact on you. For example, where use would be excessively intrusive, unless, for instance, we are otherwise required or permitted to by law.
Processing sensitive personal data
The GDPR prohibits the processing of sensitive personal data (special category data) unless additional conditions are met.
We think the following conditions are relevant, in each case in accordance with the relevant safeguards:
- where the processing is necessary for the provision of health or social care
- where the processing is necessary for scientific research.
Will we share your personal information?
We never share, sell or rent your information to third parties for marketing purposes.
However, in general we may disclose your personal information to selected third parties in order to achieve the other purposes set out in this policy.
In particular, we reserve the right to disclose your personal information to third parties:
- in the event that we sell or buy any business or assets, in which case we will disclose your personal information to the prospective seller or buyer of such business or assets;
- if substantially all of our assets are acquired by a third party, personal information held by us may be one of the transferred assets;
- if we are under any legal or regulatory duty to do so; and/or
- to protect the rights, property or safety of Roy Castle Lung Cancer Foundation, its personnel, users, visitors or others.
Security, storage and access to your personal information
We promise to keep your personal information safe and secure.
We have appropriate and proportionate security policies and organisational and technical measures in place to help us do this. For example, we require specialist suppliers who process secure payments to comply with the Payment Card Industry Data Security Standard (PCI DSS) standards.
We have achieved ISO 27001 certification. This is the international standard that provides the specification for a best-practice information security management system (ISMS).
Achieving accredited certification to ISO 27001 provides an independent, expert assessment that information security is managed in line with international best practice and business objectives. It demonstrates that we have identified the risks, assessed the implications and put in place systemised controls to limit any damage to the organisation.
Who can see my personal information?
Only appropriately trained staff, volunteers and contractors can access your information. It is stored on secure servers with features to prevent unauthorised access.
Where is my personal information stored?
The personal information that we collect from you will be stored at a destination within the UK or European Economic Area (“EEA”).
We take all reasonable steps necessary to make sure the recipient implements appropriate safeguards (such as by entering into standard contractual clauses) designed to protect your personal information and to ensure that your personal information is treated securely and in accordance with this Policy.
These are your rights in relation to how we process your personal information:
Right to be informed
You have the right to be told how your personal information will be used. This policy and other policies and statements used on this website and in our communications provide you with a clear and transparent description of how your personal information may be used.
Right of access
You can write to us to ask for confirmation of what information we hold on you and to request a copy of that information.
Provided we are satisfied that you are entitled to see the information requested and we’ve successfully confirmed your identity, we’ll give you your personal information (subject to any exceptions that apply).
Right of erasure
You have the right to ask us to delete your personal information, and we’ll do this when you ask us to. In many cases, we’ll check to see if you’re happy for us to make it anonymous first, rather than delete it completely.
Right of rectification
If you believe our records of your personal information are inaccurate, you have the right to ask us to update those records.
You can also ask us to check the personal information that we hold about you if you are unsure whether it is up to date.
Right to restrict processing
You have the right to ask us to restrict the processing of your personal information if there is disagreement about its accuracy or legitimate usage.
Right to object
You have the right to object to processing where we are:
- processing your personal information on the grounds of legitimate interest
- using your personal information for direct marketing or
- using your personal information statistical purposes.
Where we rely on your consent to use your personal information, you have the right to withdraw that consent at any time.
This includes the right to ask us to stop using your personal information for marketing or fundraising by electronic means (for example to be unsubscribed from our email newsletter list).
Right to data portability
Where we are processing your personal information:
- because you gave us your consent
- because such processing is necessary for the performance of a contract to which you are party or to take steps at your request prior to entering into a contract, and the processing is carried out by automated means
you may ask us to provide it to you – or another service provider – in a machine-readable format.
Rights related to automated decision-making
Where we take automated decisions (ie with no human involvement) in relation to your personal information, you have the right to ask us for human intervention or to challenge any such decision.
How to exercise your rights
To exercise any of these rights, please send a description of the personal information in question using the contact details below. We reserve the right to ask for:
- personal identification
- further information.
- Please note that you may only use/benefit from some of these rights in limited circumstances. For more information, we suggest that you consult guidance from the Information Commissioner’s Office (ICO) or please contact us.
- You have the right to make a complaint to the ICO about us or the way we have processed your personal information. Find further information on how to exercise this right or contact them.
Changes to this Notice
We may update this Policy from time to time so please check back periodically. We will notify you of significant changes by placing a notice on our website. This Policy was last updated in December 2018.
Links and third parties
We link our website directly to other sites. This Policy does not cover external websites and we are not responsible for the privacy practices or content of those sites. We encourage you to read the privacy policies of any external websites you visit via links on our website.
How to contact us
Please let us know if you have any questions or concerns about this policy or about the way in which your personal information is being processed by contacting us at the following channels:
If you’d like to contact us about data protection (“DPO”), email firstname.lastname@example.org
Call 0333 323 7200 during normal office hours
Roy Castle Lung Cancer Foundation
Head Office Cotton Exchange Building
Old Hall Street
Address any concerns to our Data Protection Officer & Deputy Chief Executive Mike Grundy, email@example.com
By giving us your email address, you’re giving us permission to email you about our work.
©2019 Roy Castle Lung Cancer Foundation. Registered Charity, England & Wales (1046854), Scotland (SC037596). Registered company limited by guarantee, England & Wales (03059425). Registered office: Cotton Exchange, Old Hall Street, Liverpool L3 9QB
Last updated: 21st Jan 2019