The Heart Research Institute UK (“HRI”) is committed to respecting and protecting your personal information and being transparent about what information we hold, whether you are a supporter, subscriber, or campaigner.
We have made improvements to this policy so that transparency is at the core of what we do.
The purpose of this policy is to give you a clear explanation about how the HRI collects and uses the personal information you provide to us and that we collect, whether online, via phone, email, in letters or in any other correspondence or from third parties.
We ensure that we use your information in accordance with all applicable laws concerning the protection of personal information. This policy explains:
- What information the HRI may collect about you;
- How we will use that information;
- Whether we disclose your details to anyone else;
- Your choices regarding the information you provide to us; and
If you have any queries about this privacy and cookies policy please contact the Data Protection team at the HRI at firstname.lastname@example.org
Under the data protection rules, the data controller is The Heart Research Institute (UK).
The collection of information
We collect information in the following ways:
- Information you give us. For example, when you engage with our social media or message boards, make a donation to us, register for an event or scholarship or otherwise provide us with personal information. When you register, we’ll ask for personal information, like your name, email address and telephone number to store with your account.
- Information we get from your use of our website and services. We collect information about the services you use and how you use them, visit our websites or view and interact with our ads and content.
- Information from third parties. We may also receive information about you from third parties. This can include information such as your name, postal address, email address, phone number, your geographic location (for mobile devices), credit/debit card details and whether you are a taxpayer so that we can claim Gift Aid. We, like all profit and not for profit organisations, are able to confirm what browser you are using, IP address and computer operating systems that are being used and this information may be used to improve the services we offer.
Data Protection law recognises that certain categories of personal information are more sensitive. This is known as sensitive personal data and covers health information, race, religious beliefs and political opinions. We do not collect ‘sensitive personal data’ about our supporters, unless a supporter makes the information public or if you tell us about your experiences relating to heart disease (for example, if you act as a case study for us). In such a case we will always make it clear to you when we collect this information from you, what sensitive personal data we are collecting and why and enter into a separate confidentiality agreement with you which provides more stringent parameters as to the use of supporter or patient information.
HRI website usage
If you register on our website then the following applies:
- HRI will collect your personal information when you register with us.
- Your sign-up collects information such as your name, email address and postcode.
- As part of the registration process and continued use of HRI services, you agree that any registration information you give to HRI will always be accurate, correct and up to date. Please get in touch should you need to amend any of your personal information.
- We collect and retain information about your interactions with us so that we can process your interactions and deal with future queries in a professional manner.
The information we receive about general website browsing is limited to collective data regarding sessions, pageviews and user activity (such as triggering an event or navigating through web pages). Demographic data concerning location, age, gender and user interests is also studied on a collective, not an individual, basis.
No personal information is studied or used – all metrics and dimensions are aggregated statistics involving general website activity.
Your debit and credit card information
If you use your credit or debit card to donate to us, buy something or pay for a registration online or over the phone, we will ensure that this is done securely and in accordance with the Payment Card Industry Data Security Standard. You can find our more information about PCI DSS here.
We do not store your credit or debit card details at all, following the completion of your transaction. All card details and validation codes are securely destroyed once the payment or donation has been processed. Only staff authorised and trained to process payments will be able to see your encrypted card details.
If we receive an email containing any credit or debit card details, it will be immediately permanently deleted, no payment will be taken and you will be notified about this. All purchases or donations should be completed through the secure online donation page.
Legal basis and legitimate interests
Data protection laws mean that each use we make of personal information must have a “legal basis”. The relevant legal bases are set out in the General Data Protection Regulation (GDPR) (EU Regulation 2016/679) and in current UK data protection legislation. These are:
Consent is where we have asked you if we can use your information in a certain way, and you agree to this (for example, when we send you marketing material via post, phone, text or email). Where we use your information for a purpose based on consent, you have the right to withdraw consent for any future use of your information for this purpose at any time and we will give you this option always.
We have a basis to use your personal information where we need to do so to comply with one of our legal or regulatory obligations. For example, in some cases we may need to share your information with our various regulators or courts such as the Charity Commission, Fundraising Regulator, Information Commissioner or Gambling Commission, or to use information we collect about you for due diligence or ethical screening purposes.
Performance of a contract / Taking steps at your request to prepare for entry into a contract
We have a basis to use your personal information where we are entering into a contract with you or performing our obligations under that contract. Examples of this would be if you are applying to work/volunteer with us or being funded to undertake research.
We have a basis to use your personal information where it is necessary for us to protect life or health (for instance, if there were to be an emergency impacting individuals such as safeguarding issue which required us to contact people unexpectedly or share their information with emergency services).
We have a basis to use your personal information if it is reasonably necessary for us (or others) to do so and in our/their “legitimate interests” (provided that what the information is used for is fair and does not unduly impact your rights).
We consider our legitimate interests to include all of the day-to-day activities HRI carries out with personal information.
We only rely on legitimate interests where we consider that any potential impact on you (positive and negative), how intrusive it is from a privacy perspective and your rights under data protection laws do not override our (or others’) interests in us using your information in this way and make sure we only use personal information in a way or for a purpose that you would reasonably expect in accordance with this Policy, and that does not intrude on your privacy or previously expressed marketing preferences.
We operate on the basis that if you are a committed supporter of ours (meaning that you have supported our work within the last 2 years), you would reasonably expect to hear from us with updates in relation to the work that we do. For electronic communications, we require your consent to send you this material, but in relation to postal and telephone communications, we are using your personal information on the basis that it is a legitimate interest of yours to hear about the work, and a legitimate interest of ours to send it. As set out below, you have to right to ask us not to send you this information at any point.
|Provision of information requested by you
|Processing of donations, lottery and raffle tickets
|Maintaining an accurate supporter database
|Keeping supporters informed of our work
HRI uses commercially contracted third party fundraising service providers who provide a service to us and are data processors. We require these third parties to comply strictly with our instructions and data protection laws and we will make sure that appropriate controls are in place. We regularly monitor their activities to ensure they are complying with HRI policies and procedures.
Rest assured, we will never share, sell, rent or swap your details with any third parties for the purposes of their own marketing or the monetising of your data other than where you have consented or where we are authorised by law to do so.
Marketing and social media
As a HRI supporter we want to ensure you receive the level of information about the HRI that is right for you and never want to annoy any current or potential supporter with our marketing material as this would be counterproductive.
If you actively provide your consent to us along with your email address and/or mobile phone number, we may contact you for marketing purposes by email or text message. By subscribing to HRI emails or opting in to email communication from HRI, you grant us the right to use the email for both email marketing purposes and advertisement targeting.
If you have provided us with your postal address or telephone number we may send you direct mail or telephone you about our work unless you have told us that you would prefer not to receive such information. We also actively check telephone numbers against the Telephone Preference Service and will only make telephone calls to you where your telephone number is listed on the TPS if you have specifically told us that you do not object to such calls and have consented to receive them.
It is always your choice as to whether you want to receive information about our work, how we raise funds and the ways you can get involved. If you do not want us to use your personal information in these ways please indicate your preferences on the form on which we collect your data.
You may opt out of our marketing communications at any time by clicking the "unsubscribe" link in at the end of our marketing emails or sending us an "opt-out" text message, following the instructions we provide you in our initial text.
You can also change any of your contact preferences at any time (including telling us that you don’t want us to contact you for marketing purposes by telephone, or by post) by contacting our Customer Support Centre at email@example.com
We will not use your personal information for marketing purposes if you have indicated that you do not wish to be contacted by us for such purposes. However, we will retain your details on a suppression list to help ensure that we do not continue to contact you.
Your data rights
Under data protection laws, you have rights over personal information that we hold about you. We’ve summarised these below:
Right to access your personal information
You have a right to request access to the personal data that we hold about you. You also have the right to request a copy of the information we hold about you, and we will provide you with this unless legal exceptions apply.
If you want to access your information, send a description of the information you want to see to firstname.lastname@example.org.
Right to have your inaccurate personal information corrected
You have the right to have inaccurate or incomplete information we hold about you corrected. If you believe the information we hold about you is inaccurate or incomplete, please provide us with details and we will investigate and, where applicable, correct any inaccuracies.
Right to restrict use of your personal information
You have a right to ask us to restrict the processing of some or all of your personal information in the following situations: if some information we hold on you isn’t right; we’re not lawfully allowed to use it; you need us to retain your information in order for you to establish, exercise or defend a legal claim; or you believe your privacy rights outweigh our legitimate interests to use your information for a particular purpose and you have objected to us doing so.
Right to erasure of your personal information
You may ask us to delete some or all of your personal information and in certain cases, and subject to certain exceptions, you have the right for this to be done.
Right for your personal information to be portable
If we are processing your personal information (1) based on your consent, or in order to enter into or carry out a contract with you, and (2) the processing is being done by automated means, you may ask us to provide it to you or another service provider in a machine-readable format.
Right to object to the use of your personal information
If we are processing your personal information based on our legitimate interests or for scientific/historical research or statistics, you have a right to object to our use of your information.
If we are processing your personal information for direct marketing purposes, and you wish to object, we will stop processing your information for these purposes as soon as reasonably possible.
Please contact the Fundraising Department at email@example.com. Any access request may be subject to a fee of £10 to meet our costs in providing you with details of the information we hold about you. We will respond within 30 days of receipt of your written access request and confirmation of your ID.
We have implemented a data retention policy that sets out the different periods we retain personal information for in respect of these relevant purposes. The criteria we use for determining these retention periods is based on various legal requirements; the purpose for which we hold data and whether there is a legitimate reason for continuing to store it (such as in order to deal with any future legal disputes); and guidance issued by relevant regulatory authorities including, but not limited to, the Information Commissioner's Office (ICO).
Personal information that we no longer need is securely disposed of and/or anonymised so you can no longer be identified from it. Some personal information may be retained by us in archives for statistical or historical research purposes although we will do this in a manner that complies with applicable data protection laws.
We continually review what personal information and records that we hold and delete what is no longer required. We never store payment card data after the transaction has been completed. A copy of our records retention policy can be made available on request.
Storage and transfer of personal data
Payment transactions are processed in the UK, using our PCI compliant service provider, and where required to be stored, are stored in the UK and Australia on secure servers.
We keep your personal information only for as long as required to operate the service in accordance with legal requirements and tax and accounting rules. Where your information is no longer required, we will ensure it is disposed of in a secure manner.
We are committed to protecting the privacy of the young people. Our fundraising activities request specific information about the age of participants. If you are under 18 and would like to get involved, please ensure that you have consent from a parent or guardian before giving us your personal information. When we collect information about a child or young person aged under 18 we will make it very clear as to the reasons for collecting this information and how it will be used. Specific Lottery and Raffle conditions apply, so please refer to the Lottery and Raffle Fundraising Policy referenced below and how that applies to young persons.
Lottery and Raffle Fundraising Policy
The Heart Research Institute Ltd uses the professional services of external suppliers to provide art unions and games of chance to support our functions and aims. Specific terms and conditions of these activities can be found here.