Chest Heart & Stroke Scotland (CHSS) promises to respect any personal data you share with us, or that we get from other organisations and keep it safe. We aim to be clear when we collect your data and not do anything you wouldn't reasonably expect. Here we tell you what we will and will not do with your information.
This policy includes:
- Where we collect information about you from.
- What personal data we collect and how we use it.
- How we keep your data safe and who has access.
- Keeping your information up to date.
- Right of access and correction of your information.
- Changes to this Policy.
If you have any questions, comments or suggestions, please let us know by contacting the Data Controller at Chest Heart & Stroke Scotland, 3rd Floor, Rosebery House, 9 Haymarket Terrace, Edinburgh EH12 5EZ.
Where we collect information about you from
We collect information in the following ways:
WHEN YOU GIVE IT TO US DIRECTLY.
You may give us your information in order to sign up for one of our events, tell us your story, make a donation (money or goods), purchase a product or communicate with us. Sometimes when you support us, your information is collected by an organisation working for us (e.g. a professional fundraising agency), but we are responsible for your data at all times.
You may give us your information because you receive a service from CHSS. Where the service is provided jointly with the NHS (for example, our Stroke Nurse Service) you may initially give your data to the NHS and they will share it securely with CHSS (this is because the stroke nurses are jointly funded by the NHS and by public donations to CHSS). This information is held separately within CHSS from supporters’ data, including any information relating to your condition. However, if you later choose to support CHSS as a donor or by telling us your story, your basic details will be recorded on the fundraising database. Details relating to your condition will NOT be transferred.
WHEN YOU GIVE IT TO US INDIRECTLY.
WHEN YOU GIVE PERMISSION TO OTHER ORGANISATIONS TO SHARE IT.
Depending on your settings or the privacy policies for social media and messaging services like Facebook, WhatsApp or Twitter, you may give us permission to access information from those accounts or services.
You may also provide permission for third party organisations to share your data with other third parties, including charities. You may do this when you buy a product or service, register with a website that runs competitions or register with a comparison site.
The information we get from those services depends on your settings or the responses you give, so you should regularly check them.
WHEN INFORMATION IS AVAILABLE PUBLICLY
We may combine information you provide to us with information which is publicly available, in particular from on-line fundraising pages, to gain a better understanding of our supporters and to improve our communications with you. This is because sites such as Just Giving and Virgin Money only pass on basic contact details and the amount raised, but do not pass on information regarding your motivations in raising funds for the charity.
WHEN WE COLLECT IT AS YOU USE OUR WEBSITES OR APPS.
In addition, the type of device you're using to access our website or apps and the settings on that device may provide us with information about your device, including what type of device it is, what specific device you have, what operating system you're using, what your device settings are, and why a crash has happened. Your device manufacturer or operating system provider will have more details about what information your device makes available to us.
The website uses a cookie for Google Analytics. It does not capture or store personal information, but merely logs the user's IP address which is automatically recognised by the web server. This is used to record the number of visitors to our site and volumes of usage.
For more information about Google Analytics visit the Google Analytics website.
If you do not wish to accept cookies on to your machine you can disable them by adjusting the settings on your browser. However, this will affect the functionality of the CHSS website.
What personal data we collect and how we use it
The type and quantity of information we collect and how we use it depends on why you are providing it.
Our Fundraising Promise to our donors and supporters can be found [here]
If you support us, for example make a donation, volunteer, register to fundraise, sign up for an event, donate stock to our shops, or buy something from our on-line shop, we will usually collect:
- Your name.
- Your contact details.
- Your date of birth.
- Your bank or credit card details.
Where it is appropriate we may also ask for:
- Information relating to your health, for example if you are taking part in a high risk event. NB: this is not about people who use our services – their data is held separately within CHSS.
- The reason you support CHSS (including whether this relates to any personal experience of CHSS) is helpful for us in understanding our supporters better. However, we will never make this question mandatory, and only want to know the answer if you are comfortable telling us. We will never share this information with others unless you give us permission to do so.
- Confirmation of whether or not you are a tax payer
We will mainly use your data to:
- Provide you with the services, products or information you asked for.
- Administer your donation (money or goods) or support your fundraising, including processing gift aid.
- Keep a record of your relationship with us.
- Manage the way you like to hear from us regarding the work of CHSS and how you can support us.
- Understand you better so we can improve our services, products or information.
Whatever it is about CHSS you are interested in, we really want to be as tailored as we can in our communications with you. To help us do this, we will sometimes analyse things like what you are interested in and where you live to help us engage with you in a meaningful way. This is important because it cuts down on broad ranging communications and helps us ask for donations or give information based on what we know you would like to hear about. We also want to get in touch in the way you'd prefer - be it by email, on the phone or in writing - and may ask you to let us know your preferred option.
We will contact you from time to time to let you know about the progress we are making and to ask for financial and non-financial support. We make it easy for you to tell us how you want us to communicate, in a way that suits you. Our forms have clear communications preference questions and we include information on how to request no further contact from us. If you don't want to hear from us, that's absolutely fine, please just get in touch to let us know and we will make sure your wishes are followed. When you give us your information, or you get in touch with us, we will assign a CHSS number and you can email it to firstname.lastname@example.org.
When we send communications about the work of CHSS and how you can support us by post, this is because we believe you are interested in people in Scotland with chest, heart and stroke conditions and that you want to help them. We will always provide an easy way for you to unsubscribe from receiving such materials. Where our communications are by e-mail, we will only do so if you have consented to receive them and you will always be offered an opt-out option.
Some people choose to tell us about their experiences with lung disease, heart disease and stroke and allow us to share their story to help further our work. They may take on a role advocating for CHSS, attend events, sit on our committees, or be the subject of an appeal. This may include them sharing sensitive information related to their health and family life in addition to their biographical and contact information. We will only use this information publicly at events, in materials promoting our campaigning and fundraising work, or in documents such as our Annual Report with the explicit and informed consent of the individuals (or their parent or guardian if they are under 18).
Support for people affected by chest, heart and stroke conditions
We run services to provide support to individuals affected by chest, heart and stroke conditions, and collect personal data in order to provide those services. These include our Stroke Nurse Service, Rehabilitation Support Service, and Personal Support Grants Scheme, as well as other services. This information is managed separately from other data provided to the charity. All data is treated confidentially and personal details are encrypted and securely stored. We do not share your information with any third parties.
If you receive a service from our stroke nurses, information on the outcomes of that support will be shared with the NHS. This is because the stroke nurses are jointly funded by the NHS and by public donations to the charity.
Once you no longer receive a service from us we will keep your details securely for one year before deleting any electronic record or shredding paper records. We will ask you if you want to continue to receive information about CHSS in order to support us in our future work.
All calls and requests to our Advice Line are strictly confidential. We may ask for your details if you request some of our publications or contact from one of our support groups. We will ask your permission to share information with other agencies such as NHS services. We audit the type and number of calls for quality monitoring and evaluation purposes. Feedback about our services is anonymous. In line with Helplines Accreditation, this data is always destroyed when it is no longer required.
We collect and manage information from children, and aim to manage it in a way which is appropriate to the age of the child. Where possible and appropriate we will seek consent from a parent or guardian before collecting information about children. Information is usually collected when children attend our events or fundraise for us, but it can also be sensitive personal data.
Where this is the case, this information is managed separately from other data provided to the charity.
Our events have specific rules about whether children can participate, and we‘ll make sure advertising for those events is age appropriate.
How we keep your data safe and who has access
We ensure that there are appropriate technical controls in place to protect your personal details; for example our online forms are always encrypted and our network is protected and routinely monitored.
We undertake regular reviews of who has access to information that we hold to ensure that your information is only accessible by appropriately trained staff, volunteers and contractors.
As a relatively small charity, we do not always have the resource to do everything ourselves. We sometimes use external companies, such as telephone, door-to-door or research agencies, to collect or process personal data on our behalf. We do comprehensive checks on these companies before we work with them, and put a contract in place that sets out our expectations of and requirements about how they handle your data on our behalf.
We may need to disclose your details if required to the police, regulatory bodies or legal advisors.
We do not sell or share personal details to third parties for the purposes of marketing. However, if you attend an event run in partnership with another named organisation, your details may need to be shared. We will be very clear what will happen to your data when you register.
We will only ever share your data in other circumstances if we have your explicit and informed consent
Keeping your information up to date
Where possible we use publicly available sources to keep your records up to date. We really appreciate it if you let us know if your contact details change.
Your right to know what we know about you, make changes or ask us to stop using your data
You have a right to ask us to stop processing your personal data. If it's not necessary for the purpose you provided it to us for (e.g. processing your donation or registering you for an event) we will do so.
Contact us on 0300 112 333 or email email@example.com if you have any concerns.
You have a right to ask for a copy of the information we hold about you. If you spot any mistakes, please let us know and we will correct them.
If you want to access your information, send a description of the information you want to see and proof of your identity by post to the Data Controller, Chest Heart and Stroke Scotland, 3rd Floor, Rosebery House, 9 Haymarket Terrace, Edinburgh, EH12 5EZ. We do not accept these requests by email to make sure we only send personal information to the right person.
Changes to this policy
Revised January 2018