This policy document sets out how Unique collects, stores and uses the personal data you share with us, for example when you join us as members, fundraise for us, make donations or volunteer with us. It describes the information we collect, how long we will retain it for, who will have access to it and your rights, such as your right to access the information we hold about you.
Please read our policy setting out how Unique collects, stores and uses the personal information you share with us. It describes what information we collect, how long we will retain it for, who will have access to it and your rights. This is a summary of the policy:
- We collect personal information when you join us as family members, including you, your family member with a rare chromosome disorder and other members of your immediate family. This includes health information. This is to enable us to provide support services relating to rare chromosome and gene disorders and to communicate with you.
- We collect personal information when you join us as professional members, e.g. clinicians and social workers, eg contact details, workplace and specialism.
- We collect information about our supporters, fundraisers and volunteers to enable us to contact you about your fundraising, donations, volunteering and buying merchandise and to meet our legal requirements to maintain accurate financial records.
- You may also give us your permission to contact you separately about topics such as fundraising, awareness-raising, volunteering.
- We only collect the information we need to provide the best possible service to our members. Information you provide may also benefit other member families.
- Data provided when you join Unique as members is stored for the duration of your membership. Other data, such as financial records of donations or standing orders, as retained as long as is necessary to meet our legal requirements. For purposes other than our support services (e.g fundraising, volunteering) we will seek to check your consent (to contact you) every three years.
- We protect the security of the data you provide us, including using the latest encryption technologies and secure backups. Our IT contractors have robust policies in place and we would be happy to share these with you on request.
- We will never sell or otherwise share your personal data with third parties for marketing purposes. Personal (i.e. identifiable), data would only be shared for other purposes if we were required by law to do so or we had your explicit, express consent. Any third parties we work with are contracted to keep your data secure and treat it in the strictest confidence, using the latest security.
- We use the data we hold on family members and their RCDs and their effects in anonymous format to research and write guides, provide support and information to other members and clinicians and for research into and raising awareness of RCDs.
- Only designated staff members can access members’ health information.
- You have a number of rights, including the right to access the data we hold about you and the right to ask us to delete all data we hold about you at any time.
- We may change this policy from time to time, e.g. to reflect changes in the law or guidelines from appropriate regulators. Please check our website (rarechromo.org) regularly for details of any changes
Who We are
We are the Rare Chromosome Disorder Support Group, known as Unique.
The Rare Chromosome Disorder Support Group is a charity registered with the Charity Commission in England and Wales with Charity No. 1110661 and a Company Limited by Guarantee (Company No. 5460413).
In this policy, ‘we’, ‘us’, ‘our’ or ‘Unique’ refers to the Rare Chromosome Disorder Support Group (also known as Unique); ‘you’ or ‘your’ means any person(s) from or about whom we collect personal information/data. Personal information/data is information that can be used to identify a living individual, for example name, address, telephone number or email address.
‘RCD’ refers to ‘Rare Chromosome and/or Gene Disorder’
We take your privacy seriously and adhere to the Principles of the General Data Protection Regulation (GDPR) and relevant European Union Data Protection Directives such as the Privacy and Electronic Communication Regulations (PECR). For help and guidance about any aspect of the law relating to privacy and data protection, visit the Information Commissioner’s website at www.ico.gov.uk
What information do we collect?
We collect various different types of personal information:
1. When you join us as members of Unique:
Your contact details, including your name, address, telephone number and email address. Your gender. Details of your affected family member and other members of your immediate family. This information is only collected and stored with your consent, gained when you first provide the data. Your choices relating to your consent for us to store and use your data are stored on our electronic database.
The information we collect about your affected family member includes their full name, gender where known and date of birth. It also includes Health Information such as diagnosis, syndrome name if applicable, genetics laboratory report, genetic analysis result, genotype, medical information, symptoms, phenotype, other personal information about their family, medical, educational and social care correspondence, health, development and behaviour, symptoms, positive aspects. Type of school attended. Day centre/work placement, care facility. List of hospitals and doctors they have been to and treatments.
This data is collected in order that we can register you as a member family and provide services to include sending a welcome pack, providing information related to RCDs, providing practical information & contacts to you, care for your affected family member, family matching, sending of magazines (paper and electronic) and contact in case of a query. We only collect this information from you if you choose to provide it to us – (consent is our lawful basis for processing these data). You can choose to terminate your membership or ask us to delete any data at any time by emailing email@example.com or calling 01883-723306.
Under the Data Protection Act 2018, (Schedule 1, Part 2, Paragraph 16) concerning ‘Support for individuals with a particular disability or medical condition’, patient support groups such as Unique can continue processing data in special categories such as health information and genetic/biometric data, outside of the usual consent requirements, when in the public interest. This means that once we have your consent to process the data you provided us when you joined as Unique members, we will continue to process these data until you tell us otherwise. For further information on the Data Protection Bill, please see www.legislation.gov.uk or www.ico.org.uk
We collect information from clinicians and other professionals such as social workers and researchers in order to register you as professional members, because you have contacted us or we have contacted you for the purpose of providing you with information, networking or other professional collaboration (e.g. with professionals who are not Unique members). Information/data collected includes name, address, telephone, email address, job title and place of work, qualifications and contact preferences. consent. You can choose to terminate your membership and/or have your data deleted at any time by emailing firstname.lastname@example.org or calling 01883-723306.
2.When you make a financial transaction, such as a donation, paying in funds raised or buying merchandise:
We collect information about our sources of income in order to produce accurate financial statements and to comply with the law relating to the retention of financial data (for example the Companies Act 2006 and Gift Aid).
When you make a donation via the Unique website at www.rarechromo.org we collect certain information to enable us to process the transaction. This information includes your name, address, email address, telephone number, bank and bank account details, credit/debit card details, reason for donation, items ordered and/or donations made. Some of this information is shared with our secure payment partners, WorldPay and Paypal to effect the transaction. Your credit/debit card details are recorded on WorldPay’s secure site and we recommend that you consult WorldPay’s data protection policy on their website or, if you use Paypal, see the Paypal website.
If using one of our other online fundraising and donations partners such as Justgiving, Virgin Money Giving and DoitforCharity, you will be asked to provide personal information and will be asked whether you consent to us making contact with you (in which case we will use that data in accordance with this policy). Please see their relevant privacy policies which are on their websites.
If you make a payment or a donation by any other method, e.g. post, charity cheque, direct debit/ standing order, we retain a paper record of your financial transaction. This is shared with our chosen auditors and if we are legally required to disclose it, to the relevant authorities. By voluntarily submitting your personal information to us, you are consenting to the use of your personal information for effecting a payment or donation. If you submit a signed Gift Aid Declaration to us, we retain it for HM Revenue & Customs (HMRC) purposes and will share with HMRC to comply with our legal requirements.
3.When you fundraise or volunteer for Unique:
We collect and store your contact details, including your name, address, telephone number and email address, plus any other information you provide voluntarily, such as your reason for fundraising/volunteering. We also store details of your online fundraising page/s and the event/s you are taking part in or the fundraising/volunteering/awareness-raising you are undertaking. Our bases for collecting and storing these data are that this meets our legitimate interests, to raise the funds we need to ensure the sustainability of our key services and to meet our legal requirements, for example to maintain accurate financial records, to enable us to make accurate Gift Aid claims and to report where necessary to the Charity Commission.
When contacting us about fundraising, we will store emails you send us and will record in written/note form details of telephone conversations, in order that we can help your fundraising. We will also direct you to our chosen online fundraising partners such as Virgin Money Giving and Justgiving, who will collect your personal information when you set up an online fundraising page to collect sponsorship.
We collect this information to enable us to send administrative messages, to thank and support you, send you fundraising materials and contact you in case of query. This information also enables us to meet our legal requirements to accurately produce accounts/financial statements/gift aid.
4.When you agree to be contacted by Unique about relevant topics other than our family support services:
We ask both members and non-members for their consent for us to communicate with them about other topics such as awareness-raising, volunteering and fundraising. To do this we collect and store personal information/data such as name, address, email address and telephone number and also how you would prefer to be contacted, such as by email, post, telephone or a combination. You can choose not to be contacted about these topics at any time by emailing email@example.com or calling 01883-723306.
5. When you browse the Unique website:
We collect anonymous, non-personal information about the users of our website. Whenever you access our website or download information, the web server automatically records the following non-personal information: the date and time you accessed our website, how long you were on the site, your Internet domain name and the internet browser you use. This information helps us to improve our website service.
6.When you are employed by Unique or become a trustee:
We hold personal information about our current and past employees and trustees, including name, address, telephone number, email address, date of birth, employment history, bank account information, tax and national insurance and pensions, details of other trusteeships, directorships and declarations of interest.
This information enables us to meet our legal requirements in relation to employment and also charity governance and take decisions on employee and trustee recruitment and employment, future strategy and to enable us to further our charitable aims.
Legal Basis for Processing Your Data
Each time we process your data, we must have a ‘Legal Basis’ for doing so
GDPR (EU Regulation 2016/679) states that in order to collect, store or process different categories of data, organisations who are ‘data controllers’ need to meet one or more of a number of ‘legal bases for processing’ data. This includes Specific, Informed Consent (i.e. where you have given your consent, such as when you join us as a member or agree to us contacting you about other relevant topics), Meeting our Legitimate Interests as a charity (except where this would override your individual rights or interests), Meeting our Legal Requirements (e.g. to maintain accurate financial statements under the Companies Act, 2006) and Carrying out the requirements of a Contract. For further information about these legal bases for processing data, please see the Information Commissioner’s website at www.ico.org.uk
Data Security and Access
Keeping your data safe
Working with our IT contractors, we have implemented technology and policies to protect your privacy from unauthorised access and improper use. This includes use encryption technology. These are constantly kept under review and will be updated as necessary to comply with legal requirements. Health information we collect and store is classified as sensitive under the GDPR and therefore has a higher level of security.
Data provided as part of your Unique membership is stored securely on a server in the United Kingdom. Regular back-ups of data are taken at secure facilities, arranged by our IT contractors and also located in the United Kingdom. Any paper records are stored securely in the United Kingdom.
We have a contractual relationship with a provider of bulk email, survey and event registration services and store limited data (email addresses, not health or other sensitive data) on their secure servers located in the USA to enable us to communicate with you cost effectively.
While we cannot absolutely guarantee that loss, misuse or alteration of data will not occur, we use our very best efforts to prevent this.
Who can access your data?
Our members of staff have access to your basic personal information but only those staff members who require access to carry out their job roles are able to access members’ medical/health information.
If you are Unique members, where we have your express consent to do so and in a manner of your choosing, collected at the time you join us as members or at any later date, your data may be disclosed only to other registered Unique members as part of our family matching service. This is in order that you can contact other families for the purposes of sharing information and mutual support. These family members may reside outside of the European Union. They are informed that they must keep your data secure and are not to disclose it to any third party. I think we need to think carefully about how we do this. I am not sure we are compliant.
We may use third party companies to provide services on our behalf. This could include services such as bulk email services, in order that we can communicate with members and supporters in the most cost-effective way. In these cases, data will be stored on the third parties’ servers and we will ensure that we have undertaken appropriate due diligence and have contracts in place which commit them to high levels of data security and confidentiality.
We may also contract with companies or make use of volunteers to provide services including packaging, mailing and delivering purchases, answering customer’s questions’ about products or services, sending postal mail, e-mails and text messages, analysing data and processing credit card payments. We will only provide those third parties with the information they need to deliver the service and they are prohibited from using it for any other purpose. We require all third parties to treat your personal information as fully confidential and to comply with all applicable UK Data Protection and consumer legislation.
We may disclose personal information if required to do so by law or if we have reasonable grounds to believe that such action is necessary to protect and defend the rights, property or personal safety of Unique, our members, any child or vulnerable adult, our staff or any visitor.
Except as indicated above we will not use or transfer this data to any third parties without your express permission.
How long do we keep your information?
We keep your information for only as long as is necessary or until you ask us to erase it. As RCDs are lifelong conditions, we will store and process the data (including the health information) you provided when joining Unique, throughout the duration of your membership. We will contact Unique members periodically to ask you to update us about the data we hold in our database about you and/or your family member’s RCD. You will receive a copy of the data we hold (using a ‘database form’) and you will be asked to update this. We will erase any data on request.
Where you have provided it, we will seek to refresh your consent to contact you about topics outside of your Unique membership from time to time. If you do not give consent, we will assume you do not wish to be contacted and will record this electronically and cease communication with you about these topics outside your membership. This will not affect your Unique membership and providing you with support and information services if you are also members.
If you apply for a position with Unique and do not join Unique, we will retain the data you provide, solely for recruitment and will not use it for marketing purposes. It is retained in order that we can answer any queries relating to the recruitment process.
Under the GDPR, individuals have a number of rights concerning their personal information and we will adhere to these:
You have the right to access the personal information we hold about you. You can request this verbally or in writing and when we receive such a request we will endeavour to respond quickly but within a maximum of one month. This is called a Subject Access Request (SAR) and there is no charge. Following this you have a right to request that any data held about you that you feel is inaccurate is rectified or completed if incomplete. You also have the ‘right to be forgotten’, i.e. for all data we hold about you to be erased and also to require us to restrict or ‘suppress’ how we use your data (you might for example be happy for us to store it but not process it for certain purposes). Again, we will respond as quickly as we can to such requests but within a maximum of one month.
To make a request, for example to access the information we hold about you, call +44 (0)1883-723306 or email firstname.lastname@example.org or you can write to us at the address at the end of this policy document.
For full information about your rights under GDPR, please visit the Information Commissioner’s website at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/
Should you feel unhappy about the way/s in which we have collected, stored or processed your data and wish to make a complaint to a supervisory authority, please contact the office of the Information Commissioner (www.ico.org.uk)
Who has access to your information?
Unique operates ‘hierarchical’ access to data stored, meaning that only those staff/trustees who need to access certain data are able to. For example, only staff requiring access to carry out their roles, e.g. assisting families on our telephone and email helpline, or writing information guides, are able to access the health information provided by Unique members and stored on our database. For security, data is only accessible on a ‘need to know’ basis.
This is necessary in order to process the information and to send you the information you have requested. Information submitted by you may be transferred by us to our other offices and to other reputable third party organisations as referred to in this Policy, and these may be situated outside the European Economic Area.
Do we collect information about children and vulnerable adults?
Yes, we collect personal and medical information provided to us by members about children or vulnerable adults in their care. We place great importance on the security and accuracy of this information and only store this information in our secure database. Whenever possible, we obtain the consent of the guardian or responsible adult before collecting information about children and/or vulnerable adults. Our staff will make all reasonable attempts to ascertain whether an adult has the necessary capacity to consent to submit their information to us and for us to retain that information on our secure database. Only designated senior members of staff have access to this information.
Links to other websites
Changes to this Policy
We may make changes to this policy from time to time, for example to update it to reflect changes in the law or guidelines from appropriate regulators such as the Information Commissioner (www.ico.org.uk). Please check our website (www.rarechromo.org) regularly for details of any such changes.
If you have any questions or concerns about how we protect your personal information, please contact us.
Unique – Rare Chromosome Disorder Support Group
Station Road West
Telephone: +44 (0)1883-723306
Last edited 24th May 2018 by Craig Mitchell, C.O.O. and Company Secretary.