Privacy Policy

Information about us
We are a registered CIO and our registration number is 1187476. Our main trading address is Ockley House, Lower Plantation, Loudwater, Hertfordshire, WD3 4PQ.

The Charity is committed to protecting and respecting your privacy. We are responsible for protecting your personal information as a “data controller” under applicable data protection legislation. If you have any queries about this Policy or how we use your personal information, please email helen.ison@childrenssurgeryfoundation.org.

This Policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.

Our nominated person for data protection is Chief Executive, Helen Ison and her contact details are helen.ison@childrenssurgeryfoundation.org.

What information do we collect?
We collect personal data as defined by applicable data protection legislation (‘personal information’).
We collect information about:
• employees and other staff (including volunteers)
• service users and beneficiaries
• donors and supporters
• trustees and patrons
• service providers and contractors
• family and relatives of service users

The personal information we collect might include name, email address, postal address, and telephone number. We may collect special categories of personal information, including case studies and medical information where permission has been provided by a parent/carer and/or staff.

How do we collect information?
If you are an employee or provide services to the Charity, we will collect information in line with your contract of employment or contract for services.

If you have made a financial donation to or otherwise supported the Charity, we will collect information about your donation history and your connection to the Charity.

We may collect information that is available in the public domain, for example: newspaper or online media items, publicly available posts on LinkedIn or social media or Companies House listings.

We record your requests for information and any feedback we receive from you.

We obtain personal information from you when you use our website, enquire about our activities, register with us, send or receive an email, complete application forms for job vacancies or graduate recruitment schemes, ask a question or otherwise provide us with personal information.

We may also collect technical information relating to your use of our website, including your browser type or the Internet Protocol (IP) address used to connect your computer to the internet.

We also gather general information about the use of our website, such as which pages users visit most often and which services, events or facilities are of most interest.

We may also track which pages users visit when they click on links in emails. We may use this information to personalise the way our website is presented when users visit, to make improvements to our website and to ensure we provide the best service for users. Wherever possible we use aggregated or anonymous information which does not identify individual visitors to our website.

We may also receive information about you from third parties, or from individuals or third-party organisations who share our interests and may introduce you to us if you have consented to this.

Why do we collect this information?
We collect this information for the purpose of discharging our obligations as a Charity under Charity law and to promote the cause of our Charity, which is the relief of sickness in children. The lawful basis for which we process your information is:
your consent and to protect your interests or that of another people such as the beneficiaries of the Charity

How do we use this information?
We will use your personal information:
• to promote the aims of the Charity;
• to provide you with services, products or information you have requested;
• to provide you with information about future events and products and services we think may be of interest to you, including third party events, products and services;
• for administration purposes including to notify you about changes to our services; as part of our efforts to keep our site safe and secure; and to ensure that content from our site is presented in the most effective manner for you and for your computer; and
• to make suggestions and recommendations to you about goods or services that may interest you.

If you are a donor, we add your personal information to our secure donor database in line with Fundraising regulation

We will only use your personal information for electronic marketing purposes if we are allowed to do this by law or if we have your consent. If you agree to us providing you with marketing information, you can always opt out at a later date. If you would rather not receive marketing material from us, please let us know at any time by contacting us at helen.ison@childrenssurgeryfoundation.org.

We may combine the information you provide to us with information available from external sources in order to gain a better understanding of our supporters to improve our fundraising methods, products and services.

Do we share your information with anyone else?
We do not share your personal information with any third party. If we do we will ask for your prior consent.

If you make a payment or donation to us we will need to share your information with our payment processor. By paying via our payment processor you agree to accept their terms and conditions for the use of their services, including their privacy Policy. We suggest that you read their privacy Policy when using their service as we are not responsible for data you share with them.

We may also need to disclose your information if required to do so by law or as expressly permitted under applicable data protection legislation.

Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy Policies and that we do not accept any responsibility or liability for these Policies. Please check these Policies before you submit any personal data to these websites.

How long do we keep your information for?
We keep your information for no longer than is necessary, as set out in our Data Retention Policy. We will retain your information for any period required by law, for example for compliance with HMRC requirements. Where we are not under a legal obligation to retain your information, we will determine what is necessary by reference to the lawful basis for processing set out above and our legitimate interests.

If you have any questions about how long we keep your information, please write to us at helen.ison@childrenssurgeryfoundation.org.

How do we protect personal information?
We take appropriate technical and organisational measures to ensure that the information disclosed to us is kept secure, accurate and up to date and kept only for so long as is necessary for the purposes for which it is used.

You should be aware that the use of the Internet is not entirely secure and although we will do our best to protect your personal data we cannot guarantee the security or integrity of any personal information which is transferred from you or to you via the Internet. Any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features such as encryption to try to prevent unauthorised access.

Children
We take the protection of children very seriously. To that end, we require that children under 13 do not submit any information to our website without a parent's or guardian's consent. We will not knowingly request or collect from a child any information online that can be traced to the child, such as an email address, name, or information about the child's family. Unless a parent or guardian consents to such use in advance, we will not knowingly use information that a child provides to us for any fundraising or promotional purpose.

Your Rights
You have a right to ask us to confirm whether we are processing information about you, and to request access to this information (‘right of access’).

You may ask us, or we may ask you, to rectify information you or we think is inaccurate, and you may also ask us to remove information which is inaccurate or complete information which is incomplete (‘right to rectification’). We want to ensure that your personal information is accurate and up to date. If any of the information that you have provided us with changes, for example if you change your email address, name, payment details, or if you wish to cancel your registration, please let us know using the contact details at the end of this Policy.

You have a right to obtain your personal data from us and reuse it for your own purposes, perhaps for another service, without hindering the usability of the data (‘right of portability’). This right does not apply where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

You have a right to seek the erasure of your data (often referred to as the ‘right to be forgotten’). You may wish to exercise this right for any reason, for example where it is no longer necessary for us to continue holding or processing your personal data you may withdraw your consent. You should note that we are entitled to and reserve the right to retain your data for statistical purposes. This right is not absolute, as we may need to continue processing this information, for example, to comply with our legal obligations, or for reasons of public interest.

You have a right to ask us to restrict our processing of your information (‘right to restriction’) if:
• you contest its accuracy and we need to verify whether it is accurate
• the processing is unlawful and you ask us to restrict use of it instead of erasing it
• we no longer need the information for the purpose of processing, but you need it to establish or defend legal claims
• you have objected to processing of your information being necessary for the performance of a task carried out in the public interest, or for the purposes of our legitimate interests. The restriction would apply while we carry out a balancing act between your rights and our legitimate interests.
• you exercise your right to restrict processing, we would still need to process your information for the purpose of exercising or defending legal claims, protecting the rights of another person or for public interest reasons.

You have a right to prevent us from processing your data for the purposes of marketing.

If you would like to exercise any of your rights above, please let us know using the contact details at the end of this Policy. We will act in accordance with your instructions as soon as reasonably possible and there will be no charge.

You have a right to report any of your concerns about our use of your data to the Information Commissioner’s Office. You may do so by calling their helpline at 0303 123 1113.

Retention and data management
This Retention and Management Policy has been approved by the Board of Trustees in line with GDPR requirements.

The Retention and Management Policy will enable the Charity to comply with the requirements of data protection legislation. Furthermore, this Policy will enable the Charity to manage and track documents and assist in providing openness and transparency to the public.

The Retention and Management Policy is required to support the organised creation, retrieval, appropriate storage and preservation of the Charity’s essential records. In addition, it is essential to support the appropriate disposal of documents with no continuing business, legal or historical significance.

As a Charity, the actual period for records to be kept will depend on a number of factors including:
• legal requirements
• storage costs
• the Charity’s need to access the document
• historical value


This Policy encompasses:
• records created by or on behalf of the Charity and staff in their duties for the Charity
• records received by any member of staff in the Charity
• hard copy and electronic records including Internet and Intranet sites, databases, emails, films and videos

This Policy will ensure that the Charity is complying with applicable data protection legislation which requires that we do not retain personal data for longer than is necessary.

To comply with the principles of data protection legislation, an organisation must:
• only keep information for as long as there is a business need
• keep records secure, whether electronic or paper (our standard of secure is industry-standard)
• ensure records are retrievable and easily traced
• allow a person access to information held about them, should they request it
It follows that the Charity must:
• destroy papers and electronic data for which there is no continuing business need and send papers that cannot be destroyed to archive for as short a time as possible
• keep data secure while it remains in the Charity office
• keep track of where information is stored
• continue to apply these good practices to avoid stockpiling papers in the future

All records created by or on behalf of the Charity belong to the Charity. This includes any rights or copyright in the context, except where specifically provided under copyright legislation.

All records received on behalf of the Charity as part of its business will be its property, which may be disposed of or released as the Charity sees fit or as required by law. Originators’ and owners’ rights will be fully respected in accordance with legislation.

Responsibility for depositing and disposing of archive records lies with the Trustees.

Responsibility for managing and tracking records lies with the Charity Manager, also referred as the CEO.

The Charity Manager will determine if a file is no longer required for current business usage which can then be added to the archive.

The Charity Manager may choose to retain records for longer than the indicative periods given in the retention schedule, for example, if they consider records to be of significant historical value or if the issue they are concerned remains ‘live.

Each year as a minimum, the records which are no longer required under the schedule should be destroyed automatically, unless specific legislation requires formal review before destruction. In line with data protection legislation, paper files containing details about persons and /or holding sensitive information should be shredded. Responsibility for ownership and destruction of files rests with the Charity Manager once the identified timescales (confirmed by the Trustees for keeping archived items is reached.

The Charity Manager will assess the information needs.

The Charity Manager will dispose of material no longer needed.

If the Charity Manager would like to retain documents past their useable date, the Charity Manager will obtain prior approval from the Trustees.