The Royal Marsden Cancer Charity raises money to support The Royal Marsden, a world-leading cancer centre. From funding state-of-the-art equipment and ground-breaking research, to creating the very best patient environments, we will never stop looking for ways to improve the lives of people affected by cancer.
To help us do this we may collect and process your personal data. This gives us a better understanding of our supporters which strengthens our decision-making processes and cost effectiveness, as well as being necessary for the administration of our supporters’ donations.
The Royal Marsden Cancer Charity adheres to the requirements of the General Data Protection Regulation 2018 (the “GDPR”) and respects any personal data you share with us. We aim to be clear about when we collect your data and will not to do anything with it you wouldn’t reasonably expect so please read this policy carefully to understand how we collect, use and store your information.
2. Contacting us
The Royal Marsden Cancer Charity is a data controller in respect of your personal data. If you have any questions about this policy or the ways in which we may process your personal data, please contact us:
Data Protection and Privacy
The Royal Marsden Cancer Charity
London SW3 6JJ
Telephone: 020 7808 2233
Email: [email protected]
Or you can use our online form
3. What personal information do we collect, and how?
Personal information is information that can be used to identify you or tell us about you. We will only collect what we consider necessary. This includes the following:
- Your name
- Your contact details
- Donations you make to us
- Gift Aid status
- Enquiries, feedback and complaints
- Date of birth and gender
- Logs of communications we’ve sent you and you’ve sent us
- Your communication preferences
- Your bank or credit/debit card details - if you use your credit or debit card to donate to us, buy something or pay online or over the phone, we will ensure that this is done securely and in accordance with the Payment Card Industry Data Security Standard.
- Your personal and charitable interests
- Your professional activities
- Any relationships relevant to your support, e.g. a relationship to the hospital, the cause, or to another one of our donors
- Information about your wealth (see Identifying and building relationships with philanthropists in section 4).
- Philanthropic Interests
- Your photograph
- Employment history/health/convictions (if a volunteer)
Occasionally we may need to collect information that is considered to be sensitive. For example:
- Medical data related to an event you might take part in - where we need this information to ensure we provide appropriate facilities for you
- Health information you have given us related to your support for the charity and the hospital
On most occasions where we collect sensitive personal data for these purposes we will obtain your consent and we will make it clear to you, when collecting this information, what we are collecting and why. You may withdraw such consent at any time by contacting us (see section 2. Contacting us)(Also see section 10. Your rights). We would only record sensitive data without explicit consent in rare circumstances where relevant information has been clearly and deliberately shared publicly by you and where it satisfies RMCC’s internal guidelines.
How do we collect personal information?
We will collect personal information directly from you when you:
- Ask about our activities or register your interest in an event
- Make a donation to us
- Sign up, register or apply for an event
- Sign up to volunteer
- Sign up for communications
- Engage with our website
- Order products such as merchandise from our shop
- Make an enquiry or complaint
- Write, email or talk to us on the phone or in person
We may collect personal data indirectly from you in the following ways:
- We collect contact details, financial transactions, gift aid status and communications preferences via third party fundraising platforms that support your fundraising (e.g. Just Giving) and from organisations that support your fundraising events (e.g skydiving, running and cycling events).
- We may collect information about your philanthropic interests and any relationship you have to The Royal Marsden and our cause from print and online media articles about you in the public domain
- We gather and observe data about supporters’ use of our websites, such as which pages are most visited and which events or activities are of most interest as well as feedback ratings and text (see section 9. Our website).
- Our third party screening providers may look at philanthropic interests and wealth information in order to ascertain who has the ability to fund major projects. This will include publicly available information from sources, such as, but not limited to, Companies House, The Electoral Roll and The Charity Commission. For more information about how your personal data might be processed in this context (see Identifying and building relationships with philanthropists in section 4).
Ensuring the accuracy of your information
We aim to ensure that all information we hold about you is accurate and, where necessary, kept up to date. If any of the information we hold about you is inaccurate and either you advise us or we become otherwise aware, we will ensure it is amended and updated without delay. You can find our contact details here.
4. Why do we collect and how do we use your information?
As a data controller, The Royal Marsden Cancer Charity takes its responsibilities under the GDPR very seriously. Our lawful bases for processing your data are as follows:
- We have a legitimate interest in processing your data for the purposes of improving our products, services and website to run our organisation effectively and efficiently
- We ask for your specific and informed consent to communicate with you by email, SMS and telephone for marketing and feedback purposes. We also process data to comply with legal obligations, for example when assessing your personal information for the purposes of credit risk reduction or fraud prevention. Charities are known to have been targeted for illegal purposes such as money laundering and so we are required to monitor financial activity and report suspected fraud to the appropriate authorities
- Lastly, we process data where it is necessary for the performance of a contract. For example, we need your personal details in order to send you items ordered through our shop or to process your direct debit, both of which represent a contract.
The personal data we process on this basis includes contact and identification details, financial transactions, a record of interaction, relationships relevant to your support, information about your wealth and philanthropic interests.
We process some of your personal data in a manner that you would reasonably expect to pursue our legitimate interests. We have carefully balanced your interests against our interests when deciding whether this is appropriate. Our legitimate interests and the purposes for processing that fall under each of them are as follows:
Processing and record keeping
- Process your donation(s)
- Acknowledge any donation(s) we receive
- Managing feedback and complaint
- Keeping a record of your communications with us
- Supporting your fundraising activities
Understanding and improving our products and services
- Analysing and segmenting data in order to ensure we understand your support and are sending you communications tailored to you and your interests
- Blocking disruptive use of our website, record website traffic, personalise the way our information is presented to you
Fundraising and marketing by post
- Provide you with updates and information about our work
- Ask you to help us raise money or donate to our charity
- Analysis to help us understand more about you so we can send more targeted and relevant communications and can ask you to support in appropriate ways
- Invite you to participate in surveys or research
- Processing your application
- Managing timesheets
- Keeping a record of communications
Targeted digital or social media marketing
We may use the information you provide to ensure our digital and social media advertising is effective – this might include secure provision of contact details to digital advertising networks or to social media companies. This could mean your information allows us to show online ads to you and to others like you. Any information we share will be securely encrypted and you can ask us not to share your information in this way by getting in touch.
However, you should bear in mind that even when you have asked us not to share your information for this purpose, you may still see adverts relating to our cause. This will be because the ad network or social media site has selected you based on information they hold, or settings you have on your device or profile with them, without using any information provided by The Royal Marsden Cancer Charity.
If you want to manage the advertising you see through social media sites you can find out how here:
Identifying and building relationships with philanthropists
The Royal Marsden was founded on philanthropy and it still plays an important role in our fundraising today. By learning more about those who could support us, we are able to provide the funding opportunities most likely to interest you. We analyse all the types of personal data described in section 3 to allow us to understand your charitable interests, capacity to provide philanthropic support, and connection to our work. It is this understanding which helps us to have a personalised relationship with you, maximising the impact your philanthropy has.
This research will often be carried out by us directly but in some instances trusted third party partners will be used to manage our resources more efficiently. For more information on the third parties we use see section 5. Information Sharing and Disclosure.
Processes carried out by such third parties may include screening techniques. This would involve sharing select personal data with the third party and screening against their existing database of publicly available data for evidence that you may have the ability and inclination to provide further philanthropic support.
The categories of personal data we process on this basis may include contact and identification details, your health condition and relationship with The Royal Marsden.
We may contact you for marketing purposes by email, telephone, mobile telephone or text but only with your explicit opt-in consent. It is your choice what type of communications and information you receive about our Charity and the ways in which you can get involved.
We will also obtain your consent when we collect sensitive personal data from you, unless you have clearly and deliberately shared the relevant information in public.
You can change your mind about consent or withdraw it at any time by contacting us (see section 2. Contacting us).
Compliance with a legal obligation
The categories of personal data we process on this basis include contact and identification details, financial transactions and gift aid status, professional activities, records of interaction and any criminal convictions.
We may send you service communications for example if you have made a donation by text. We require data in order to process Gift Aid claims and manage email and SMS text suppression (permanent exclusion) lists.
We are also required by law to protect against the possibility of charitable donations being used as part of criminal activity such as fraud or money laundering, which would need to be reported to the authorities. Such instances are rare but where a risk is highlighted, we are required to process personal data in order to carry out due diligence in order to be confident in accepting legitimate offers of support.
When necessary for the performance of a contract
The categories of personal data we process on this basis include contact and information details as well as your bank details and financial transactions.
We may send you service communications for example when you place an order for goods or services on our website. We also need data to be able to service your direct debit. Without the relevant personal data here, it would not be possible to carry out the contract with you.
5. Information sharing and disclosure
We will not, without your consent, supply any of your personal data to any third party except for the following reasons, which are expanded on below:
- We are required to do so by law enforcement or regulatory bodies where this is required or allowed under the relevant legislation
- We share personal data with The Royal Marsden for volunteer management and, when required, for supporter stewardship
- We use third-party companies from time-to-time to support our fundraising activities and carry out data processing operations on our behalf
We will disclose your personal information to third parties if we are required to do so through a legal obligation (this would include but not be exclusively HMRC, Information Commissioner’s Office, Charity Commission, Companies House, the police or government bodies); to enable us to enforce or apply our terms and conditions or rights under an agreement; or to protect us, for example, in the case of suspected fraud or defamation.
The Royal Marsden
We work closely with The Royal Marsden both in managing the volunteers that help in the hospital and enabling our supporters to get updates from clinical staff about the work they help to fund. In both cases it is necessary for us to disclose information to some staff working for The Royal Marsden.
- Volunteers – We will share your contact details with the hospital to enable them to support your volunteer experience and have access to the relevant training. The Royal Marsden will be the data controller of any personal or sensitive data provided with regards to your work in the hospital e.g. your occupational health data
- Funding – We will share information about your support and link to the cause with staff you may meet in the hospital to ensure that they understand your interests. This information will only be held for the duration of the relationship and The Royal Marsden Cancer Charity remains the data controller for all personal data related to your support
- Case Studies – Where you have offered to be a case study to help promote the hospital or Charity’s work, we will share the details with the hospital
Use of third parties
We will use third party companies as trusted partner organisations that work with us in connection with our charitable purposes. We will work with organisations that support us to deliver fundraising appeals, campaigns, conduct research surveys or store your personal information on our behalf. While the specific list of suppliers will change, the following categories of organisations will remain relatively constant. We share personal data with the following:
- Organisations that operate fundraising platforms to give you choice about the way you can fundraise for us
- Third party companies that manage events (e.g. runs, bike rides and sky dives) that you have registered for
- Organisations that help us support our fundraising e.g. mailing houses and printers
- Specialist organisations that can help us analyse our supporter data to ensure we provide the right people with the right messages
- As part of a corporate relationship with your employer to support your fundraising and volunteering activities.
- We use GoCardless to process your direct debit payments. More information on how GoCardless process your personal data and your data protection rights, including your right to object, is available at https://gocardless.com/legal/privacy.
We will always make sure appropriate contracts and controls are in place and we regularly monitor all our partners to ensure their compliance. We actively screen these companies to maximise the protection of your privacy and security. They are only permitted to use the data in accordance with the GDPR.
One of the third parties we work with is Active Network, which is based in the USA and falls outside of the European Economic Area or EU. Although they may not be subject to same data protection laws as we are here in the UK, they have signed up to the EU-US Privacy Shield which is a mechanism which ensures that US companies that sign it, comply with EU data protection requirements.
6. Under 16s
If you are aged 16 or under, and would like to participate in an event, make a donation or get involved with us, please make sure that you have your parent or guardian’s permission before giving us your personal information. When we collect information about a child or young person, we will make it clear as to the reasons for collecting this information and how it will be used. We will not communicate with under 16s directly beyond fulfilling the relevant service i.e. acknowledging the gift, sending out event details. You can withdraw consent at any time by contacting us (see section 2. Contacting us).
7. Vulnerable circumstances policy
We recognise the importance of protecting our vulnerable supporters and follow the guidance issued by the Institute of Fundraising on treating donors fairly. We believe this helps to support our staff, volunteers and fundraisers who come into contact with supporters in providing high quality customer care, ensuring anyone donating to the Charity is in a position to make a free and informed decision.
8. Storing your information
We will keep all your information in a confidential record that is specific to you. We use a customer relationship management system (CRM) to support our activity. This means that we can keep the information you provide us, so we are able to see the history and relevant details of your relationship with us. We take information security very seriously. No one is allowed access to our system or files unless they need this in order to provide a service to you or for one of the other purposes discussed in this notice.
We will only keep your information for as long as needed to ensure that we can effectively carry out your wishes, for example process your donation, respond to your enquiry and make sure that we are only sending you communications that are relevant to you and are in line with your preferences. If you have supported us with a donation we will keep your contact, donation and communication details, as well as why you have donated if you have decided to give us this information. For prospective supporters, we will keep details for 2 years before deleting them.
When we no longer need to retain your information we will ensure it is securely disposed of, at the appropriate time. You can request for us to delete this information at any time and we will do so immediately.
We do not store your credit or debit card details at all, following the completion of your transaction. All card details and validation codes are securely destroyed once the payment or donation has been processed. Most transactions are undertaken without a person ever seeing your credit card details and only those staff authorised to process payments will be able to see your card details.
If we receive an email containing any credit or debit card details, it will be immediately deleted, no payment will be taken and you will be notified about this.
We will not use your information for marketing purposes if you have asked us not to. However, we will retain your contact details on a suppression (permanent exclusion) list to help ensure we do not continue to contact you.
9. Our website
To make full use of our website you need to accept cookies. Without cookies you can still visit our website but some features won't work. More information on cookies can be found in our Cookies Policy.
Our website is hosted on a secure server. Any information you send to us over the internet is encrypted using secure socket layer technology (SSL). Although we cannot 100 per cent guarantee the security of any information you transmit to us, we enforce strict procedures and security features to protect your information and prevent unauthorised access.
10. Your rights
You have the right to:
- Request a copy of the information we hold about you, and to transmit that copy to another data controller
- Update or amend the information we hold about you if it is wrong
- Change your communication preferences at any time including withdrawing consent to be contacted by email, phone or sms, or consent to process sensitive information you have given us
- Ask us to remove your personal information from our records
- Object to the processing of your information for marketing purposes
- Raise a concern or complaint about the way in which your information is being used.
If you wish to find out more about these rights, or obtain a copy of the information we hold about you, please contact us:
Private Information Request
The Royal Marsden Cancer Charity
London SW3 6JJ
Telephone: 020 7808 2233
Email: [email protected]
Or you can use our online form
We hope that you will not have cause to complain about any aspect of our services. If a problem does arise you are, of course, entitled to complain – if you have any concerns or complaints that cannot be raised with us through the above details, you can also contact the Information Commissioner here.
Last updated: 15 May 2018