- Who we are
- Our promise to you
- Why we collect your data
- What type of data do we collect about you
- Lawful basis for processing your data?
- Marketing and fundraising
- Third Party data
- Website users and Cookies
- What we do with your personal information
- Keeping your data
- Your rights
- Caldicott Guardian
- Sharing your story
- Helpline Policy
- Complaints, compliments or comments
- Use of Zoom for remote working
We ensure that we use your information in accordance with all applicable laws concerning the protection of personal information. This policy explains:
Who we are
Epilepsy Society (the Data Controller) is the UK’s leading provider of epilepsy services. Through our cutting edge research, awareness campaigns, information resources and expert care, we work for everyone affected by epilepsy in the UK. Epilepsy Society is a Registered Charity No. 206186 and a Company Limited by Guarantee No. 492761, located at Chesham Lane, Chalfont St. Peter, Buckinghamshire SL9 0RJ. Our website is owned and operated by Epilepsy Society.
Our promise to you
We promise to respect any personal data you share with us, or that we get from other organisations and keep it safe. We aim to be clear when we collect your data and not do anything you wouldn’t reasonably expect.
We balance your rights as an individual and take every possible step to protect the privacy of the people who contact us. We make sure that we only use your information in the way you have told us that you are happy with. Our staff are trained in data collection and we ensure our systems are fully secured.
Why we collect your data
We will process your personal data when you:
- sign up for our e-newsletter or event
- contact us by email
- carry out a transaction through our online shop
- make a donation
- receive support from one of our services
- apply to work for us
- join through our membership form
- complete a survey
Website service administration and analysis
Your basic personal data will help us to provide you with information on our services and to enable our fundraising activities and administration of our charity and to comply with our obligations to keep records (for example for HMRC when we receive Giftaid donations).
Developing a better understanding of our supporters through their personal data allows us to tailor our communications and make better decisions on how and what we communicate with you.
If you do not provide us with the data we may be unable to complete an order for you or reclaim tax when you have requested us to do so.
What type of information do we collect about you?
The type and quantity of information we collect and how we use it depends on why you are providing it.
Typically, the basic personal information we collect will include:
- your name
- your contact details
- your date of birth
- Your gender
- Your email address
- Your telephone number
If you have made a donation, we may collect the reason for donating to Epilepsy Society and your bank details (for Direct Debits).
If you receive support from one of our services we will collect more detailed information about you. This could include information about your medical conditions and your support needs. We will also collect information about family, where it is required, such as next of kin and emergency contacts.
Lawful basis for processing your data?
Organisations are permitted to process data if they have a legal basis for doing so. Epilepsy Society processes your personal data on the basis that:
- You have given your express and informed consent to the processing; and/or
- Epilepsy Society has a legitimate interest in processing your personal data; and/or
- The processing of the personal data is necessary in relation to a contract or agreement which you have entered into or because you have asked for something to be done so you can enter into a contract or agreement; and/or
- There is a legal obligation on Epilepsy Society to process your personal data.
Where Epilepsy Society is relying solely on consent as the basis for processing your personal data, we are required to obtain, and keep records, of your consent. You can modify or withdraw this consent at any time by notifying us in writing, although this may affect the extent to which we are able to interact with you in future.
Notwithstanding any change to this policy, we will continue to process your personal data in accordance with your rights and our obligations in law.
Marketing and fundraising
We would like to use your name and email address to inform you of our future marketing and fundraising activities. You can unsubscribe at any time via phone, email or our website.
We carry out targeted fundraising activity to ensure that we are contacting you with the most appropriate communication, which is relevant and timely and will ultimately provide an improved experience for you. In doing so, we may use wealth profiling techniques to provide us with information about you. Such information is compiled using publicly available data about you or information that you have already provided to us.
We keep your personal information only for as long as required to operate the service in accordance with legal requirements, tax and accounting rules or to effectively steward our supporters. Where information is no longer required, we will ensure it is disposed of in a secure manner.
We will not use your personal information for marketing purposes if you have indicated that you do not wish to be contacted by us for such purposes. However, we will retain your details on a suppression list to help ensure that we do not continue to contact you.
The Epilepsy Society may need to share this information with a third party, either through legal obligation or choice, but will still be responsible for safeguarding the rights and privacy of the individuals that have trusted us with their personal information. The types of organisations we may share your data with:
- Telemarketing agencies for communication and fundraising purposes
- Third party platforms (e.g. justgiving.com, virginmoneylondonmarathon.com)
It is always your choice as to whether you want to receive information from us. You may opt-out of our marketing communications by clicking the ‘unsubscribe’ link in at the end of our marketing emails or through our unsubscribe number 01494 601 300.
You can change any of your contact preferences at any time (including telling us that you don’t want us to contact you for marketing purposes by telephone, or by post) by contacting our Data Protection Officer, Protecture at email@example.com or by contacting our donor support team on firstname.lastname@example.org
Third Party data
What we do with your personal information
All the personal data we process is processed by our staff in the UK. For the purposes of IT hosting and maintenance this information is located on servers within the UK and we will not transfer your personal data outside the EEA. No 3rd parties have access to your personal data unless the law allows them to do so.
We have a Data Protection programme in place to oversee the effective and secure processing of your personal data. We do not use any automated decision making.
Keeping your data
We review our retention periods for personal information on a regular basis. We are legally required to hold some types of information to fulfil our statutory obligations (for example the collection of Gift Aid). We will hold your personal information on our systems for as long as is necessary for the relevant activity, for as long as is set out in any relevant contract you hold with us or for as long as is set in our retention schedule.
If you would like to know how long we keep your information for, please contact our email@example.com.
You have various rights under the GDPR. In particular, you may object to the processing* of your personal data. When you want to exercise one of these data subject rights – and you are eligible to –Epilepsy Society will respond according to the GDPR.
- The right of access: you have the right to know whether Epilepsy Society is processing data about you and, if so, you can request access to it.
- The right to rectification: if your personal data is inaccurate, Epilepsy Society will correct it.
- The right to erasure or right to be forgotten: you are able to ask to delete your personal data if you no longer want it to be processed and there is no legitimate reason for Epilepsy Society to keep it.
- The data subject right to restriction of processing: you have the right to limit the processing of your personal data.
- The right to be informed. you have the right to clear and understandable information about who is processing your data, what they are processing and why they are processing it.
- The right to data portability: you have the right to ask us to transfer your personal data to another service provider.
- The right to object: you can say if you don’t want the personal data processing to be done or going on.
- The right not to be subject to a decision based solely on automated processing: including profiling, which produces legal effects or significantly affects you.
If you wish to exercise any of the above rights please send a written request to: firstname.lastname@example.org
Alternatively you may call us on 01494 601300 or post your request to:
Data Protection Officer Epilepsy Society Chesham Lane Chalfont St Peter Buckinghamshire SL9 0RJ
If you are not satisfied with our response or believe we are not processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office (ICO) at https://ico.org.uk/concerns/,
If you have any queries or concerns about how your data or sensitive information is stored or used at Epilepsy Society you can contact our Caldicott Guardian who is Rebecca Salvatierra, Director of Care at Caldicottguardian@epilepsysociety.org.uk or call reception on 01494601300.
Helpline calls All calls to the helpline are confidential. This means that the helpline will not share anything about you with anyone else, unless you ask us to do so or in the very limited circumstances we have explained below.
We do not record your call to us, but we do record some statistical information about each call, for example, gender, whether you have epilepsy yourself, know someone who has epilepsy or are calling from an organisation, and the time and duration of your call. This data helps us understand who is using our helpline which helps us understand if there are things we should differently. From time to time staff may listen in to calls for training, or support. Those staff are bound by the same rules of confidentiality as the call handler.
Helpline emails All emails to the helpline are confidential. This means that the helpline will not share your email with anyone else, unless you ask us to do so, or your enquiry is best answered by another department within Epilepsy Society who will of course, also treat it as confidential. We only record the number of emails we receive to the helpline email address.
Why we need it To help us to improve our service, staff may listen in to your call with us. We may take notes during your call to help us to understand your situation. We may need to know your basic personal data in order to send you any information you request during your call to us. We use statistical information about your call to produce reports, to help us to improve the service we provide. We do not pass on the details of anyone contacting our service to anyone else, except in the following situations:
- We receive a call threatening terrorist activities.
- You specifically ask us to pass on information about you to someone else.
- You are in a situation that has or may cause you harm, you have given us information that identifies you, and you are not able to make a decision for yourself.
- You give us information that can identify someone who has caused harm or who threatens to cause harm to someone else.
- You threaten the safety of our helpline staff.
- You compromise our service by making it difficult for other people to contact us or by misusing our service. If this happens, we may take a decision to limit access to our services.
We are satisfied that we have a legitimate interest in processing the limited amount of data that we have in order to provide support for people with epilepsy and their families and other people who may have concerns about this condition and that we take every possible step to protect the privacy of the people who contact us.
What we do with it Any personal data we collect is processed by our helpline staff in the UK.
Unless one of the situations arises where we have to pass on your information as explained, the only records of your call that are retained are the metadata (the number you called from, date, time and duration of the call). We use call metadata for reporting purposes and to analyse the efficiency of our Helpline service.
We have a Data Protection regime in place to oversee the effective and secure processing of your personal data. We do not use any automated decision making.
How long we keep it
Any notes taken during the call are securely disposed of securely at the end of each shift. Call metadata is retained for analysis and reporting purposes. We will retain data in accordance with our data retention policy.
Helpline emails Emails to the helpline are retained for 45 days for analysis and reporting purposes.
Use of Tidio for Helpline webchat service
For our webchat service we use Tidio a GDPR compliant platform with full end-to-end encryption. This means that everything you say during a session is kept secure and confidential between you and the person you’re talking to. In addition, we guarantee no recording of any of your details without your explicit consent; session content is held in a secure environment and is automatically deleted after 30 days. We recognise that privacy is extremely important to you and an essential part of our service.
Complaints, compliments or comments
Please let us know if you have any concerns about what we do, what you think is going well and where you think we could improve. We will take your comments seriously and they will help us get better. Use our online form to lodge a complaint, compliment or comment .
Use of Zoom for remote working
For all our video meeting calls we use Zoom a GDPR compliant platform with full end-to-end encryption. This means that everything you say during a session is kept secure and confidential between you and the person (or persons in group calls) you’re talking to. In addition, we guarantee no recording of any of our meetings without your explicit consent, All recordings are held in a secure environment and are automatically deleted after 30 days. We recognise that privacy is extremely important to you and an essential part of our service.