Target Ovarian Cancer has always sought to respect people's personal data. We regularly evaluate our processes and protocols to make sure we are following both the spirit and the letter of the General Data Protection Regulation (GDPR) and other legislation relating to personal data. We highly value our relationships with women with ovarian cancer, their families and friends, health professionals, and all other beneficiaries, fundraisers and supporters. Maintaining these relationships will continue to be a top priority for us.
Target Ovarian Cancer ("we") promises to respect any personal data you share with us, or that we get from other organisations, and keep it safe. We aim to be clear when we collect your data and not do anything you wouldn't reasonably expect. We will comply with the six principles of good practice. These provide that your personal information must be:
- processed lawfully, fairly and in a transparent manner
- processed for specified, explicit and legitimate purposes
- adequate, relevant and limited to what is necessary
- accurate and kept up-to-date
- kept for no longer than is necessary
- processed in a manner that ensures appropriate security.
This privacy notice sets out the data processing practices carried out by Target Ovarian Cancer in relation to personal data about supporters, event attendees, grant applicants, volunteers and newsletter subscribers. For the purposes of this notice, the data controller is Target Ovarian Cancer. For the purpose of this notice we will use the group term 'supporters' to describe any one of these groups.
If you have any queries or requests concerning your personal data or would like to contact us about your preferences please contact us at Target Ovarian Cancer, 30 Angel Gate, London EC1V 2PT or at firstname.lastname@example.org, or call us on 020 7923 5470.
Our communications include our services and events, ovarian cancer news, and opportunities to support us. If you are not already receiving these communications, but would like to, please contact us on email@example.com or 020 7923 5470.
Why your personal information is important
Developing a better understanding of our beneficiaries and supporters through your personal data allows us to make better decisions about our work, fundraise more efficiently and, ultimately, helps us to improve early diagnosis, fund life-saving research and provide much-needed support to women with ovarian cancer.
Support for people affected by ovarian cancer
We run services to provide support to women affected by ovarian cancer, their families and friends, and collect personal data in order to provide those services. This includes our face-to-face events, our guides and information, our support line and our private Facebook group.
If you contact us, with your explicit consent we will record your personal information including sensitive personal data about your health that you choose to tell us. This may include information about your symptoms and diagnosis; stage, grade and type of ovarian cancer; treatment and clinical trials; and other health-related information.
We may also collect and retain your information if you send feedback about our services or if you make a complaint.
How we use your personal information
We will use your personal information:
- to deal with your enquiries and requests
- to provide you with information and updates about products or services that you have requested
- to invite you to participate in projects or activities
- for administration purposes
- to further our charitable aims including through fundraising
- for training, quality monitoring or evaluating the services we provide
- to analyse and improve the operation of our website and to analyse your website engagement.
Target Ovarian Cancer does not share sensitive personal information you provide to us with anyone, except in exceptional circumstances to comply with the nurses' code of professional conduct or where legally required. For more information please read our safeguarding policy.
If you support us, for example if you make a donation, volunteer, register to fundraise or sign up for an event, we will usually collect:
- your name
- your contact details
- your date of birth
- your bank or credit card details.
Where it is appropriate we may also ask:
- for information relating to your health (for example if you are taking part in a high risk event)
- why you have decided to donate to us (for example we ask if you've had a diagnosis of ovarian cancer, or are a family member or friend, or a health professional) – we will never make this question mandatory, and only want to know the answer if you are comfortable telling us.
We will use your data to:
- provide you with the services, products or information you asked for
- administer your donation or support your fundraising, including processing gift aid
- keep a record of your relationship with us
- ensure we know how you prefer to be contacted
- understand how we can improve our services, products or information.
We will contact you in accordance with your preferences and the law to let you know about the progress we are making, to ask for donations or other support, and/or to tell you more about the services we offer. You have the right to change these at any time, for example by clicking unsubscribe on email communications. We make it easy for you to tell us how you want us to communicate, and we include information on how to opt out of different types of contact when we send you marketing communications. If you don't want to hear from us, that's fine. Just let us know when you provide your data or contact us on firstname.lastname@example.org or 020 7923 5470 to update us.
Occasionally, we may include information from third party organisations working with us in our communications – for example an organisation running an event or selling a product to raise money for Target Ovarian Cancer. We do not give your data to these organisations.
We do not sell, rent or share personal details to third parties, including other charities, for their marketing purposes. But, if we run an event in partnership with another named organisation your details may need to be shared, for example on the guest list for an event at an external venue. We will be clear what will happen to your data when you register.
Our legal basis for processing your information
We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:
- you have given us consent
- where it is necessary for our or a third party's legitimate interests, which are to further our charitable objectives, and your interests and rights do not override those interests
- where we need to comply with a legal or regulatory obligation.
We will only use sensitive personal data:
- provided we have your explicit consent to use it
- where we believe that we need to use that data to protect your vital interests where you are not able to provide us with your explicit consent
- where it is necessary for reasons of substantial public interest
- where you have previously made that data public knowledge
- if we need to use that data to establish, exercise or defence legal claims.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Keeping your information secure
We use a specialist external agency, Adestra, to manage our email communications. They normally only store data within the European Economic Area (EEA). If they need to transfer it outside of the EEA then they will take steps to make sure adequate levels of privacy protection, in line with UK legislation, are in place.
We use a specialist external agency, the Big Give, to manage one of our Fundraising Campaigns. The Big Give are based in the United States (US), and any data they collect or process will be done so in the US.
In addition, we will take all steps reasonably necessary to ensure that your data is treated securely, including taking the following safeguards:
- PCI DSS standards
We comply with the Payment Card Industry Data Security Standards in relation to debit/credit card payments made on our website.
- Building entry controls
We are based on a secure gated estate with CCTV and maintain your data in a restricted access locked area.
- Secure lockable desks and cupboards
Desks and cupboards are kept locked when not in use if they hold confidential information of any kind.
- Methods of disposal
Paper documents are disposed of by shredding in a manner that ensures confidentiality.
- Firewalls and encryption
We use industry-standard and up-to-date firewall and encryption technology.
- Overseas transfers
Whenever we transfer your personal information outside the United Kingdom, we ensure a similar degree of protection is afforded to it by ensuring that we apply appropriate safeguards.
Brexit and transferring your data to countries in the European Economic Area (EEA)
Post-Brexit, the UK will be a third country for GDPR purposes. This means any organisation based in the EEA that is transferring data to the UK will need to ensure the data is adequately protected to GDPR standards. Organisations in the UK processing the personal data of EU citizens will need to comply with both the UK data protection law (which includes the version of the GDPR implemented on 25 May 2018; “UK GDPR”) and the EU GDPR.
Target Ovarian Cancer has considered the territorial scope of the GDPR and considers that the EU GDPR will not apply to it post-Brexit. This is because the charity is not offering goods or services to, or monitoring the behaviour of, EU data subjects. Target Ovarian Cancer will not appoint an EU representative because only a small percentage of our income comes from supporters living in the EU and the charity does not actively cultivate European donors or supporters.
Target Ovarian Cancer relies on a number of third party agencies to process income on our behalf such as Just Giving and Facebook. These third parties may make restricted transfers of data to Target Ovarian Cancer if any of their operations are based in the EU, and in such instances it is the third party’s responsibility to ensure that the personal data is protected.
Upon receipt of the data, Target Ovarian Cancer will ensure that any EU data subjects’ personal data is protected under both the UK and EU GDPR and treat personal data with care and due diligence. Occasionally, Target Ovarian Cancer will need to upload data of UK data subjects to a third party’s site, and any transfer of data will be done securely.
Sharing your story
Some people choose to tell us about their experiences to help further our work. They may take on a role as an ambassador or spokesperson, tell their story at an event, sit on an advisory panel or contribute to our guides and publications. This may include them sharing sensitive information related to their health and family life in addition to their biographical and contact information.
We use some of the information provided, including gender, ethnicity or the type of cancer people have experience with, to identify opportunities for you to get involved. If we have the explicit consent of the individuals, or their parent or guardian if they are below the legal age under UK law, this information may be made public by us at events, in materials promoting our work, or in documents such as our annual report.
If you are a speaker at one of our events, we will publically promote your involvement via social media and emails to our supporters. This data may continue to be processed by those platform providers after the event has ended.
Where appropriate we will seek consent from a parent or guardian before collecting information about children. Our events have specific rules about whether children can participate, and we make sure advertising for those events is age appropriate.
We collect and manage information from children, and aim to manage it in a way which is appropriate to the age of the child. Information is usually collected when children attend our events or fundraise for us. We will collect name, date of birth and address in the same way as adults to record the levels of support we have been given.
How we gather information
The type and quantity of information we gather and how we use it depends on why you are providing it. We gather information in the following ways:
When you give it to us directly
You may give us your information in order to sign up for one of our support events (eg Being Together), contact the support line, to fundraise for us (eg The Ovarian Cancer Walk|Run), tell us your story, make a donation, sign up to receive our newsletters or communicate with us directly.
When you give it to us indirectly
When you have given other organisations permission to share it
You may have provided your details to other organisations that work with us, for example when buying a product or services.
When we collect it as you use our website or apps
You may find Target Ovarian Cancer on Facebook yourself, or you may receive an ad from us. We target ads at audiences that appear to have an interest in ovarian cancer. We do this to inform, educate and engage potential new supporters or tell people about the services we offer.
Facebook is a valuable tool for us and for our community, which is why we use the platform. However, Facebook is a commercial company. We want to remind our users that information shared on timelines, on our page or in private messages may be used or sold by Facebook for commercial purposes.
Employees, volunteers and job applicants
If you apply to work or volunteer at Target Ovarian Cancer, we will only use the information you give us to process your application and to monitor recruitment statistics. If we want to disclose information to someone outside the charity – for example, if we need a reference, or need to get a 'disclosure' from the Criminal Records Bureau – we will make sure we tell you beforehand, unless we are required to disclose this information by law.
If you are unsuccessful in your job application, we will hold your personal information for six months after we've finished recruiting the post you applied for. After this date we will destroy or delete your information. We keep de-personalised statistical information about applicants to develop our recruitment processes, but this does not contain any information that could be used to identify individual job applicants.
When you start working for us, we will put together a file about your employment. We keep the information in this file secure, and will only use it for matters that apply directly to your employment.
Once you stop working for us, we will keep this file according to our document retention policy. You can contact us to find out more about this.
How we keep your data safe and who has access
We ensure that there are appropriate technical controls in place to protect your personal details. We undertake regular reviews of who has access to information that we hold to ensure that your information is only accessible by appropriately trained staff, volunteers and contractors.
We allow Adestra to use personal data on our behalf to send out our mailings. We ensure all data transferred is protected by using a secure data transfer site.
Some of our suppliers run their operations outside the European Economic Area (EEA), for example those we work with on our overseas treks, or suppliers who have headquarters in other countries. Although they may not be subject to the same data protection laws as companies based in the UK, we will take steps to make sure they provide an adequate level of protection in accordance with UK legislation. By submitting your personal information to us you agree to this transfer, storing or usage at a location outside the EEA.
We may need to disclose your details if required to the police, regulatory bodies or legal advisers or in exceptional circumstances as outlined in our Safeguarding policy. Regulatory bodies include HMRC, the Charity Commission or Office of the Scottish Charity Regulator, the Information Commissioner's Office and the Fundraising Regulator.
We will only ever share your data in other circumstances if we have your explicit and informed consent.
Keeping your information up to date
We really appreciate it if you let us know if your contact details change so that we can continue to stay in touch with you.
You have various legal rights in relation to the information you give us, or which we collect about you, as follows.
- You have a right to access the information we hold about you free of charge, together with various information about why and how we are using your information, to whom we may have disclosed that information, from where we originally obtained the information and for how long we will use your information.
- You have the right to ask us to rectify any information we hold about you that is inaccurate or incomplete.
- You have the right to ask us to erase the information we hold about you (the 'right to be forgotten'). Please note that this right can only be exercised in certain circumstances and, if you ask us to erase your information and we are unable to do so, we will explain why not.
- You have the right to ask us to stop using your information where: (i) the information we hold about you is inaccurate; (ii) we are unlawfully using your information; (iii) we no longer need to use the information; or (iv) we do not have a legitimate reason to use the information. Please note that we may continue to store your information, or use your information for the purpose of legal proceedings or for protecting the rights of any other person.
- You have the right to ask us to transmit the information we hold about you to another person or company in a structured, commonly-used and machine-readable format. Please note that this right can only be exercised in certain circumstances and, if you ask us to transmit your information and we are unable to do so, we will explain why not.
- Where we use/store your information because it is necessary for our legitimate business interests, you have the right to object to us using/storing your information. We will stop using/storing your information unless we can demonstrate why we believe we have a legitimate business interest which overrides your interests, rights and freedoms.
- Where we use/store your data because you have given us your specific, informed and unambiguous consent, you have the right to withdraw your consent at any time.
- You have the right to object to us using/storing your information for direct marketing purposes.
If you want to access your information, please send a description of the information you want to see and proof of your identity by post for the attention of the Data Manager, Target Ovarian Cancer, 30 Angel Gate, London, EC1V 2PT. We do not accept these requests by email in order to ensure that we only provide personal data to the right person.
If you have any questions please send these to us at the address above or email@example.com and for further information see the Information Commissioner's guidance.
If we have not been able to deal satisfactorily with any concerns you may have over how we have processed your personal information, you have a right to make a complaint to the Information Commissioner's Office on 0303 123 1113.
How long we keep your information for
The length of time that we will store your data will depend on the 'legal basis' for why we are using that data, as follows:
||Length of time
|Where we use/store your data because it is necessary for us to comply with a legal obligation to which we are subject
||We will use/store your data for as long as it is necessary for us to comply with our legal obligations
|Where we use/store your data because it is necessary for our legitimate business interests
||We will use/store your data until you ask us to stop. However, if we can demonstrate the reason why we are using/storing your data overrides your interests, rights and freedoms, then we will continue to use and store your data until we no longer have a legitimate interest in using/storing your data
|Where we use/store your data because you have given us your consent
||We will use/store your data until you ask us to stop
To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements. Please ask us if you would like more information about how long we retain your information for.
Changes to this notice
We may change this privacy notice from time to time. If we make any significant changes to this notice and the way we hold personal data, we will make this clear on the Target Ovarian Cancer website or by contacting you directly.
If you have any questions, comments or suggestions, please let us know by contacting us at Target Ovarian Cancer, 30 Angel Gate, London, EC1V 2PT or email us on firstname.lastname@example.org.
This privacy notice was updated in April 2018 in compliance with the General Data Protection Regulation (GDPR).