Before we tell you more about what data we gather, why we gather it, and how we look after it why don’t we let you know how you can contact us. This might be to ask to see your data; to make a complaint about how we have handled your data; to ask us to delete or correct something.
Our Data Protection Officer (DPO) is Colin Ireland.
Just drop him an email with the details of your request at firstname.lastname@example.org. It is as simple as that.
If you’d prefer to write to us, then please do:
Data Protection Officer, Winston’s Wish, 17 Royal Crescent, Cheltenham, Gloucestershire, GL50 3DA
By personal data, we mean any information that could be used to identify you. At its simplest this could be just your name and address; or, it could include your bank account details, telephone number, email address, a picture or recording of you. As we also provide clinical services, some of the data we need to gather to help us deliver those services will be sensitive personal data which might include information about health and well-being or ethnicity.
Where we get your personal data from
As a starter, we only ever get your personal information from you. We don’t buy lists or take data from third parties unless we have your consent to accept that information.
There are several ways in which we might collect personal data from you.
You might be receiving a service from us in which case we would collect your data as part of receiving that service. This might include quite sensitive information relating to the support we are providing to you. If you are under 13 we will need to get consent from the relevant adults to hold your personal information.
Sometimes another agency (like a school, GP or local authority) might have information that they want to pass onto us but we would only take that data with your consent.
In any case, before you started receiving support from us we would have explained all of this to you and asked you to give us your specific permission (your ‘consent’) to gather, hold and process this information for a defined period of time.
Sometimes we are approached by the media who want to speak to families who have experienced a bereavement. We never pass on any information about families to the media unless the family have given us specific consent to do so.
One place where we wouldn’t collect your personal data would be on the Helpline which is a confidential, anonymous service. We follow the nationally recognised Helplines Standard and are a member of the Helplines Partnership.
However, if you asked to be referred on for a face-to-face service, or if you requested a free resource to be sent to you at the end of a call or a series of calls then we would let you know at that point that we would need to gather some personal information from you with your consent.
We would only hold that data either for the purposes of providing you with an ongoing service, or to get a publication to you. Either way, this information is kept safe and deleted after a defined period of time. If you want to know how long that is then please ask us.
Our ASK email service is anonymous, but in contacting us using an email address you are providing some personal information. We retain this information securely for a short period before they are deleted.
As a supporter or donor, you might give us personal information if you take part in a fundraising event, buy a book or a memory box, register for an activity, or donate an amount to us to support our work. This might include your name and address and bank details, for example.
You might want to work for us, or already be employed here in which case we would hold personal information that you had given us for the purposes of your employment which might include your employment history and bank details.
If you are successful and you come and work for us then we use the performance of a contract as the lawful basis for processing your personal data.
You might also have volunteered with us, and so we would hold some personal information that you had given to us for the purposes of making that happen. Again, this might include information you had given to us with your consent relating to your interests, experience and contact information.
We use the data we gather from children, young people and families we are supporting for the sole purpose of providing the best care and support that we can to them. This might also include being able to evaluate the quality of support we have given and audit our practices. Where we believe sharing the information we have been given with other agencies is in the best interests of supporting the child or young person then we would do that with consent.
We have produced a separate privacy notice for children and young people.
We take our responsibility to safeguard the welfare of children, young people and vulnerable adults very seriously. We are legally obliged to pass on personal information to the relevant authority if we thought a child, young person or vulnerable adult was at risk. When you begin to receive a service this will all be covered in the process of giving your consent for us to hold and process your personal information.
We only use the information supporters and donors have given us to process any gifts or donations or to keep them in touch with our work via newsletters and other communications. This might also include letting them know about exciting opportunities to take part in fundraising events for Winston’s Wish.
We never use your data for profiling, for identifying potential donors or for donor preference analysis. We only accept personal information from third parties where you have expressly consented to your data being passed on by them – for example, Just Giving or Charities Aid Foundation.
We use the information that staff provide us to ensure that we can meet our legal obligations as an employer and for administrative purposes. For volunteers, we use personal data for administrative purposes. In both cases, we also use personal data to ensure we comply with safeguarding legislation and our obligations there. This includes ensuring our vetting and barring checks are done in accordance with DBS legislation and best practice.
In some instance,s we need to record personal data to meet our legal obligations (for example we need to record financial transactions to comply with UK tax laws).
We would never seek to keep your data for longer than you would think reasonable. In our GDPR and Data Protection Policy we set out a retention schedule that indicates how long we hold personal information and when it is deleted or archived.
If you would like to know how long we keep data for then please do contact us using the contact information at the top of this privacy notice.
We are registered with the Fundraising Regulator, and we follow the Fundraising Regulator’s Code of Practice – https://www.fundraisingregulator.org.uk/code-of-fundraising-practice/code-of-fundraising-practice/
If you are receiving communications from us then we will periodically ask you if you would still like to receive information from us and you are welcome to opt out at any time in line with best practice in fundraising.
We take data security very seriously. Our internal systems are robust and we have invested in ensuring our data systems meet industry standards. Access to information we hold internally is restricted according to the type of data we hold and where we hold it. All personal data is processed by staff in the UK and data we hold securely on third party servers is hosted and maintained within the European Union.
For the purposes of storing or processing some of the data you provide, or providing our services to you we might pass some of your personal information to service providers e.g. Cloud-based data storage providers; HMRC or external agencies (e.g. schools, local children’s services).
We may also share your data with law enforcement agencies or statutory agencies if required.
The Information Commissioner’s Office (ICO) has produced a summary of your rights in relation to data protection and the General Data Protection Regulation (GDPR)
If you have a concern about how we have handled or processed your data, or are unsatisfied with our response to a complaint you have raised with us then please contact the ICO – https://ico.org.uk/concerns
This privacy notice was last updated in May 2018 in line with the compliance deadline for GDPR. It is reviewed regularly.