Pancreatic Cancer UK believe it’s important to be up front about what we do with your data – we’re committed to keeping it safe and treating it with respect.
This policy outlines everything you need to better understand how we collect and use the information that you either provide to us or which is provided to us about you by third parties or via publicly available sources.
We’re the sole ‘Data Controller’ of your information. This means that only we determine the purpose for and the manner in which your information is used. We’ll never sell your personal information or share it with another organisation for their own marketing purposes.
Pancreatic cancer is a tough disease – tough to diagnose, tough to treat and tough to survive. We provide support, information, campaign and fund research. We wouldn’t be able to continue our fight against pancreatic cancer without your involvement and support.
Your personal data helps us to raise money in a more efficient and cost-effective way, helping us to better target our donation requests and create more meaningful direct marketing campaigns. It also helps us to improve the services we provide to people with pancreatic cancer and helps to change the way in which the disease is diagnosed, managed and treated.
If you’ve got any questions or concerns, you can get in touch with us in the following ways:
By Post: FAO: Fundraising Compliance Manager, Pancreatic Cancer UK, 6th Floor, Westminster Tower, 3 Albert Embankment, London SE1 7SP
By Email: email@example.com
By Telephone: (020) 3816 0707
We directly receive personal information when people:
- Sign up to participate in one of our events (eg. a marathon or a skydive) or order fundraising materials from us;
- Let us know they want to support our work in a more practical way (eg. raising awareness of pancreatic cancer or volunteering for us);
- Make a donation or buy something through our online shop (eg. Christmas cards);
- Request health professional-related information from us or attend an event eg. our Annual Summit
- Submit a request for funding for a specific pancreatic cancer research project;
- Come along to one of our “Living with Pancreatic Cancer” support days or contact our confidential Support Line;
- Complete a pancreatic cancer-related survey;
- Register to join our online discussion forum; and
- Apply for a job
We indirectly receive personal information when:
- We sometimes carry out research and analysis using publicly available sources in order to better understand our supporters.
We believe it’s crucial that we raise money in the most cost-effective ways possible. That’s why we sometimes take a closer look at the personal information of our supporters to better understand how they might be able to help in the future. This means we can better target our donation requests and deliver more cost-effective fundraising. See the “Profiling” section in this notice for more information.
* An IP address is a unique string of numbers separated by full stops. They are unique to each computer and identifies each device using the internet.
If you choose to support us either by volunteering, fundraising on our behalf, signing up for an event, campaigning alongside us or sharing your experiences of pancreatic cancer, we collect:
- Your name;
- Your contact details (specifically your postal address, telephone number(s) and email address); and
- Where applicable or appropriate, details about your experiences of pancreatic cancer.
If you donate or buy something through our online shop, we’ll ask you for your bank/credit card details.
At times, we also collect demographic information from publicly available sources.
We ask for this information so that we can:
- Provide you with services and information you’ve requested – this includes sending you information about the fundraising activities/events you’ve taken part in on our behalf;
- Respond to any questions or feedback you might have about our work;
- Send you information about our work that we think you’ll be interested in;
- Process the donations you make to support our work, including Gift Aid;
- Keep up to date with the relationship you have with us. This includes a record of your engagement with us and how you prefer to be contacted;
- Better understand how we can deliver more cost-effective fundraising campaigns as well as improve the services that we offer to people who get in touch with us; and
- Detect and reduce fraud.
If you call our Support Line, our specialist nurses will ask you questions about your experiences of pancreatic cancer. We won’t keep a record of what’s been said during the call unless we have your permission and only the Support Line team will have access to it.
Finally, we ask supporters to give us more information about why they’ve chosen to support us. You don’t have to give us these details if you don’t want to.
We rely on our legitimate interests (see The legal conditions we rely upon to process personal data” section) to contact you by post and, unless you’re registered with the Telephone Preference Service (TPS), by phone to tell you about:
- Our research progress and campaigning activities;
- ways in which you can support us from taking part in an event through to donating;
- The services we provide to people with pancreatic cancer.
If you’ve given us consent, we’ll also contact you by email and SMS (text message). You can withdraw your consent or change the way that we contact you any time, using the contact details below:
By Post: FAO: Fundraising Compliance Manager, Pancreatic Cancer UK, 6th Floor, Westminster Tower, 3 Albert Embankment, London SE1 7SP
By Telephone: 020 3535 7090
Alternatively, you can fill in our Contact Preference Form.
We use “email tracking” to review the success of our email campaigns – an invisible pixel is embedded in the emails that we send which tells us how many people have opened the email. This process also logs destination email addresses, IP addresses and email client types. You can “opt out” of tracking by banning html emails.
As a supporter-focussed charity, we want to send you information that we think you’ll be interested in. We believe that this helps to improve your experience of being one of our supporters and also ensures that we’re using our resources in the most effective ways possible.
At times, we use profiling and screening techniques to help us ensure communications are relevant and timely and to provide the best experience we can for our supporters. When building a profile, we look at how supporters have supported us in the past and analyse geographical, demographic and publicly-available information about them such as addresses and listed Directorships.
This allows us to send communications based on the supporter’s individual circumstances which, in turn, means that we are able to target our resources more effectively – something that donors consistently tell us is a key priority for them. There are no other consequences of the profiling activities that we conduct.
If you don’t want us to use your information in this way, please email us with your request and we’ll ensure that your wishes are respected.
Some of our supporters choose to share their experiences of pancreatic cancer with us which not only gives invaluable insight into the impact of our work but also helps to highlight the urgent need for change to the way in which the disease is diagnosed and treated.
Supporters who share their experiences may:
- agree to share their story with a journalist;
- give us permission to share their story on our social media channels and/or our website;
- share their story at special events run for patients; and/or
- sit on our committees including our Research Involvement Network.
If we have the person’s consent, we’ll share the information that they give to us at events, in materials promoting our campaigning and fundraising work, with journalists and/or in press releases and in publications like our annual report.
We also regularly review the types of supporter who provide us with their stories so that we can ensure the views and experiences we hear adequately represent the diverse pancreatic cancer community.
If you contact our Support Line and speak to one of our specialist nurses, they’ll ask you for information about your health or that of a loved one if they’ve got pancreatic cancer.
With your permission, we’ll keep a record of what you’ve spoken to us about. This means that if you contact the support line again, we can provide you with more personalised support.
Only the Support Line team has access to the health-related information that you give to them and it will be kept safe. It will be primarily used to provide you with support and information about pancreatic cancer. However, we’ll also use it on an anonymised basis to help improve the general services we provide and to help inform our wider policy and campaigning work.
Depending on the circumstances, the Support Line team might also ask if you’d like to receive updates about our work - for example, through our quarterly newsletter. In this case, you’ll need to provide your contact details so that you can be put on our mailing list. Alternatively, you might be directed to our website so you can sign up when (and if) you feel ready.
We run “Living With Pancreatic Cancer Support Days” across the UK – these events are designed to provide support and information to those currently affected by pancreatic cancer. We encourage people attending to register in advance or we’ll collect a small amount of personal information from those who don’t register beforehand at the event.
If you give us your consent, we’ll keep a record of you attending the event along with your personal details in accordance with our data retention policy. This information will be stored in a confidential part of our database which can only be accessed by members of the Service team who organise the events.
Our online discussion forum provides a place for people affected by pancreatic cancer to share their concerns and experiences as well as to receive support from other people in a similar situation. It’s a place where people can discuss everything from how to navigate the healthcare system to how to talk about pancreatic cancer with loved ones.
Please be aware that your forum posts will be accessible by both us and other forum users. We regularly monitor forum posts to ensure that members are following the forum’s community guidelines which help to provide and safe and supportive environment.
As well as asking members of the forum to provide their name and email address, we also ask for their postcode so that we can get a better understanding of our regional reach and target our services where they’re re most needed.
We encrypt credit or debit card details on our online donation page which means that they can’t be intercepted and subsequently accessed. We redact all bank details that are provided to us during the course of setting up Direct Debits and do not store credit card details.
Any financial information that we do store is held on a secure system and shared with a third-party agency (Bottomline Technologies) so that it can process donations for us.
Our website uses Google Analytics, to look at how people use the site. Google Analytics use “cookies” which are text files placed on your computer - they help us to see how long people stay on our site and which of our pages are the most popular as well as the least visited. This in turn helps us to make the site as relevant and as useful as possible.
The information produced by the cookie about how you use the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. The company then uses this information to compile visitor reports for us about website activity.
Google will transfer this information to third parties if required by law, or where such third parties process the information on Google’s behalf. Google won’t link your IP address with any other information held by Google.
You can block cookies by selecting the appropriate settings on your browser. However, please remember that our website might not work as well as it should if you do this. For more details, please read our Cookies Policy.
Our website provide links to websites operated by other organisations. These organisations have their own privacy policies so please review these if you want to find out more about how they protect your privacy.
Our campaigns don’t specifically target children. However, there might be occasions where children will get in touch with us. They might, for example want to fundraise for us, make a donation to support our work or get in touch to speak to one of our specialist pancreatic cancer information nurses.
Wherever possible, we aim to get consent from a parent or guardian before we collect information about children. However, in cases where we become aware that someone we are engaging with is below 16 only after we already have collected their data, we’ll ask for the consent of a parent/guardian to continue communicating. If we’re unable to get this, we’ll stop all contact with the child concerned and delete their information.
We’re committed to keeping any data you provide to us safe and secure. All of our staff therefore undergo comprehensive data protection training when they first start working for us.
All of our online forms are encrypted which means that the details on them can’t be accessed while the information is transferred to us. Our computer network is protected by Sophos anti-virus software and is routinely monitored by our IT Manager to prevent security breaches.
We use external companies (refer to the "Who we share personal data with" section) to deliver fundraising campaigns on our behalf. Before working with them, we carry out thorough checks to ensure that they’re compliant with data protection laws.
In cases where the companies we work with operate outside the European Economic Area (EEA) (Refer to the “transfers outside of the European Economic Area (EEA)” section) we make sure that they provide the same level of protection as required in the UK.
We keep personal data only for as long as it’s necessary and in accordance with our internal data retention policy.
In some cases, we’re required by law to keep personal information for a specific length of time. For example, we’re required to keep information relating to our employees for a minimum of 6 years after they’ve left the charity.
When it comes to financial donations and Gift Aid, we’re required to keep information such as the supporter’s name, address, Gift Aid declaration form(s) and financial information for 7 years for HMRC auditing purposes.
We delete health information given to us by Support Line users after 18 months if they haven’t subsequently been in contact. However, their contact information is kept on or database in case the individual engages with us in another way eg. they choose to make a donation or take part in an event.
In cases where the law is less specific about how long data should be kept for, we carry out an assessment based on the following factors to determine how long we need to keep it:
- the type of personal data concerned (eg. is it “special category” data?);
- the nature and length of the relationship with the individual concerned; and
- the stated contact preferences of the individual.
Following that assessment, all personal information no longer required will be deleted. However, we’ll retain basic information (such as a supporter’s postcode and transactional history) and securely archive this. We believe it’s important to keep basic information of this kind in case someone leaves a gift in their Will to us and we’re re required to evidence the nature of their support if it’s contested.
We use external direct marketing companies to run campaigns on our behalf through the post and by phone. We also use the services of external mailing houses to send out information in the post on our behalf. We carry out checks to ensure that our suppliers will treat your data with respect and we have contracts in place with all of them which state that:
- they can only use the personal information we have sent to them for the purposes we’ve outlined;
- their employees must be subject to a “duty of confidence” when using that data;
- they must follow robust security measures to ensure that the data we share with them is kept secure;
- they must delete or return all data to the controller as requested at the end of the contract; and
- they consent to regular audits and inspections and provide us with any information we might need to ensure they’re re complying with data protection laws.
Some of our suppliers’ head offices are based in the United States of America (USA) and are therefore outside the European Economic Area (EEA). Nevertheless, we’ve ensured that there are necessary safeguards in place which protect the personal data of our supporters.
The fundraising suppliers that we use vary from time to time. To request an up-to-date list of the suppliers that we’re currently working with, please email firstname.lastname@example.org.
We’ll never sell your data or share it with any third parties for their own marketing purposes.
We may need to share data under special circumstances, such as where we are under a legal obligation to do so. This includes disclosing your details if required to the police, regulatory bodies or legal advisors.
These companies are certified with the Privacy Shield which requires registered US companies to:
- better safeguard EU citizens’ data;
- provide clear privacy information; and
- limit the collection and use of data
The Privacy Shield also allows for more robust monitoring and enforcement by the US Department of Commerce and Federal Trade Commission (FTC) which includes increased co-operation with the European and Swiss Data Protection Authorities.
The General Data Protection Regulation (the GDPR) says we must have a lawful basis to process the personal information of our supporters. We rely on the following four legal conditions to process personal data:
We rely on consent to:
- send supporters information by email and SMS about our work
- process “special category data” (eg. information relating to someone’s health or ethnicity).
- manage the relationships we have with our case studies – this ranges from the use of their photograph through to sharing their story with the media.
- conduct “Research Peer” reviews – by submitting applications to us for research funding, researchers consent to peers reviewing those applications and approving them. The number of reviews we obtain for each application is proportionate to the funding amount requested and our peer reviews are conducted in line with the Association of Medical Research Charities [PM1] guidelines.
Consent can be withdrawn at any time.
Under the GDPR, we can process personal information under the condition of “Legitimate Interests” providing that;
- the activity is necessary to fulfil our charitable objectives;
- the activity meets with the expectations of the person who the personal information relates to;
- the activity doesn’t override individual’s rights and freedoms; and
- the individual has been given an opportunity to object to the processing
Before carrying out any activity that relies on legitimate interests, we will complete an assessment to determine the potential impact and ensure that necessary safeguards are in place to protect your rights. Unless the law requires it, we won’t use the information you give to us for activities where the impact on you overrides our legitimate interests.
Pancreatic cancer is a tough one but we’re taking it on. It is tough to diagnose, tough to treat, tough to research and tough to survive. For too long this disease has been sidelined. We want to make sure that everyone affected by it gets all the help they need. These are our “Legitimate Interests”.
In order and to achieve our legitimate interests and long term objectives, we believe it’s necessary to:
- contact supporters by post and phone about our work - we believe we can cultivate long-term support for our work by keeping our supporters up to date with information about how they can support us by post and phone. You can opt out of hearing from us in these ways at any time and we don’t call people who are registered with the Telephone Preference Service (TPS);
- respond to supporter enquiries, requests for information and acknowledge the donations we receive;
- process donations and payments;
- protect your information while you use our website;
- build profiles of our supporters– we believe it’s necessary not only to ensure that we target our resources in the most cost-effective way possible but that our supporters receive relevant and timely communications. We therefore analyse and build profiles about supporters based on the nature of their support. For more info about our use of profiling, refer to the profiling section. You can opt out of us using your personal information in this way at any time;
- carry out market research to review the success of our campaigns;
- carry out quality assurance monitoring to ensure compliance with the Code of Fundraising Practice;
- contact prospective corporate supporters about supporting our work– this gives us the opportunity to raise vital funds more quickly and reach out to audiences who might not otherwise be aware of our work;
- contact MP’s about our work– this helps to ensure that improvements to the way in which pancreatic cancer is diagnosed and treated remains at the heart of the political agenda;
- co-operate with non-statutory third parties on complaint investigations– your data might need to be processed as part of an investigation undertaken by a non-statutory regulator (eg. the Fundraising Regulator to review potential breaches of the Code;
- make improvements to our database
- manage staff usage of our IT systems
We believe that all of these activities are necessary for us to continue being an effective and efficient charity. This, in turn, will help us to achieve our charitable objectives more quickly.
We process data to fulfil the following contractual obligations:
- creating and managing staff IT accounts;
- awarding grants for specific pancreatic cancer research programmes;
- sending items purchased through our online shop to customers and claiming direct debit and standing order donations on days specified by the donor;
- employee relationship management – this includes dealing with issues like grievances and disciplinaries, flexible working, performance and appraisals, paying salaries and staff benefits (eg. season ticket loans, childcare vouchers etc), ensuring that requirements for new starters/leavers are met and developing staff and volunteers through training and development programmes;
- employee recruitment and resourcing – this includes shortlisting, interviewing, offers of employment and reference checking;
- paying invoices sent to us by third-party suppliers for services they have carried out on our behalf; and
- monitoring ‘Discussion Forum’ posts to ensure that users are abiding by the forum’s community guidelines
We process data to fulfil the following legal obligations:
- co-operating with statutory third-party regulators (eg. Charity Commission or Information Commissioner’s Office) on investigations;
- administration of legacies – including contacting solicitors, funeral directors as well as the individual’s families;
- responding to supporters who want to exercise their data protection rights;
- Processing Gift Aid claims –including giving necessary information to HMRC;
- Health and Safety –this involves training staff on health and safety regulations and speaking to them about obtaining tailored equipment to satisfy their needs if required.
- Income Reconsiliation – we need to make sure that the money we receive is matched to the corresponding supporter information.
- Statutory Registers and Returns – we’re required to keep statutory registers up to date for organisations like the Charity Commission and Companies House.
The GDPR gives you more control over what happens to your personal information. Under this legislation you have the right to:
- be given clear, transparent and free information about how your data will be used;
- access your personal data so that you can see how your personal information is being used by us;
- have your personal information updated and corrected;
- obtain and reuse the personal data you have given to us for your own purposes;
- request that we permanently delete or remove your information where there is no “compelling” reason for us to keep it; and
- request that we don’t use your personal data for specific purposes and, unless we are under a legal or contractual obligation, we must respect your wishes;
The GDPR also prohibits us from using solely automated technologies to build profiles and make decisions about people who support us which will have “legal or similarly significant effects”, unless:
- it’s necessary to fulfil a contract;
- it’s been authorised by a Union or Member state law; or
- you’ve given your explicit consent for your information to be used in this way
When carrying out other types of profiling, we need to tell you about how your information will be used and you can object if you don’t want to be included in that process. We’ve outlined our approach to profiling and ways in which you can opt out.
If you’d like to exercise any of the rights outlined above, please email us. We’ll respond to your request within 3 working days with an outline of the next steps.
If you’ve got any concerns or questions about how we use personal data, please don’t hesitate to contact us in one of the following ways:
By Post: FAO: Fundraising Compliance Manager, Pancreatic Cancer UK, 6th Floor, Westminster Tower, 3 Albert Embankment, London SE1 7SP.
By Email: email@example.com
By Telephone: (020) 3816 0707
If you’d prefer to contact an independent authority about your concerns, please contact the Information Commissioner’s Office (ICO). The ICO has been set up by government to uphold the public’s information rights and can be contacted in the following ways:
Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
Telephone: 0303 123 1113
We’ll fully co-operate with the ICO to address any concerns you might have about how we use your data.
If we make any significant changes to the way in which we process your information, we’ll make the required changes to this Privacy Notice and will notify you in advance of any changes being put into practice so that you can raise any concerns or objections with us.
When making less impactful changes, we’ll update this notice and post a summary of the changes we’ve made under the “News” section of our website.