Privacy statement
At Winston’s Wish, we take your privacy and your personal data very seriously. We know how important it is to you that we treat any personal information that we might gather from you with the utmost care.
The law is very clear about what we need to do in this regard and we are fully committed to complying with our legal obligations.
But we always do our best to protect your data because we genuinely value the trust that you put in us as an organisation and we believe ensuring we look after the information you give us is part of continuing that trusted relationship.
We abide by the principles, processes and practices we set out in our Data Protection Policy (last updated in September 2021 in line with GDPR).
In relation to GDPR, we use your consent as the lawful basis for processing your data and we rely on legitimate interest where we have existing and ongoing relationships with our donors, supporters and volunteers. For staff, we use contracting as the lawful basis for processing personal information.
Who we are
We are Winston’s Wish – a registered charity (1061359) established in 1992 that provides support for children and young people who are bereaved. We are a registered company, limited by guarantee (number 03329289). Our services are available throughout the UK. Our Head Office is located in Gloucester, Gloucestershire.
We also provide support for parents, carers and professionals, and we deliver training and raise funds through a range of activities. We also conduct research and advocate on behalf of bereaved children in pursuit of our vision of a society in which bereaved children and young people have their needs met.
Get in touch
Before we tell you more about what data we gather, why we gather it, and how we look after it why don’t we let you know how you can contact us. This might be to ask to see your data; to make a complaint about how we have handled your data; to ask us to delete or correct something.
Our Data Protection Officer (DPO) is Laura Threadingham
Just drop her an email with the details of your request at lthreadingham@winstonswish.org. It is as simple as that.
If you’d prefer to write to us, then please do:
Data Protection Officer, Winston’s Wish, Conway House, 31-33 Worcester Street, Gloucester, GL1 3AJ
Personal data – what’s that?
By personal data, we mean any information that could be used to identify you. At its simplest this could be just your name and address; or, it could include your bank account details, telephone number, email address, a picture or recording of you. As we also provide clinical services, some of the data we need to gather to help us deliver those services will be sensitive personal data which might include information about health and well-being or ethnicity.
Where we get your personal data from
As a starter, we only ever get your personal information from you. We don’t buy lists or take data from third parties unless we have your consent to accept that information.
There are several ways in which we might collect personal data from you.
Children and Families
You might be receiving a service from us in which case we would collect your data as part of receiving that service. This might include quite sensitive information relating to the support we are providing to you. If you are under 13 we will need to get consent from the relevant adults to hold your personal information.
Sometimes another agency (like a school, GP or local authority) might have information that they want to pass onto us but we would only take that data with your consent.
In any case, before you started receiving support from us we would have explained all of this to you and asked you to give us your specific permission (your ‘consent’) to gather, hold and process this information for a defined period of time.
Sometimes we are approached by the media who want to speak to families who have experienced a bereavement. We never pass on any information about families to the media unless the family have given us specific consent to do so.
When you call our Helpline, we collect some basic information about you and your situation to allow us to provide the support offered to you, with your consent. We follow the nationally recognised Helplines Standard and are a member of the Helplines Partnership.
If you asked to be referred on for further support, or if you requested a free resource to be sent to you at the end of a call or a series of calls then we would let you know at that point that we would need to gather some additional personal information from you with your consent.
We would only hold that data either for the purposes of providing you with an ongoing service, or to get a publication to you. Either way, this information is kept safe and deleted after an appropriate period of time, in line with our data retention policy. If you want to know how long that is then please ask us.
When you contact us through the ASK email service, you are providing some personal information such as an email address or names. We retain this information securely for as long as necessary in order that we can respond to your request appropriately.
Our online chat service is anonymous, but in receiving notifications using an email address or SMS you are providing some personal information. We retain this information securely for a short period before they are deleted.
However, if you asked to be referred on for a face-to-face service, or if you requested a free resource to be sent to you whilst using our online chat service then we would let you know at that point that we would need to gather some personal information from you with your consent.
We would only hold that data either for the purposes of providing you with an ongoing service, or to get a publication to you. Either way, this information is kept safe and deleted after a defined period of time. If you want to know how long that is then please ask us.
Supporters, Donors, Staff and Volunteers
As a supporter or donor, you might give us personal information if you take part in a fundraising event, buy a book or a memory box, register for an activity, or donate an amount to us to support our work. This might include your name and address and bank details, for example.
You might want to work for us, or already be employed here in which case we would hold personal information that you had given us for the purposes of your employment which might include your employment history and bank details.
If you are successful and you come and work for us then we use the performance of a contract as the lawful basis for processing your personal data.
You might also have volunteered with us, and so we would hold some personal information that you had given to us for the purposes of making that happen. Again, this might include information you had given to us with your consent relating to your interests, experience and contact information.
What we do with your personal data
We use the data we gather from children, young people and families we are supporting for the sole purpose of providing the best care and support that we can to them. This might also include being able to evaluate the quality of support we have given and audit our practices. Where we believe sharing the information we have been given with other agencies is in the best interests of supporting the child or young person then we would do that with consent.
We have produced a separate privacy notice for children and young people.
We take our responsibility to safeguard the welfare of children, young people and vulnerable adults very seriously. We are legally obliged to pass on personal information to the relevant authority if we thought a child, young person or vulnerable adult was at risk. When you begin to receive a service this will all be covered in the process of giving your consent for us to hold and process your personal information.
We take protecting your personal information seriously. We will never sell or swap your details with another organisation. We use the information supporters and donors have given to us to process any donations or to keep in touch about our work. This includes newsletters, fundraising updates and opportunities to attend or take part in events. We aim to provide our supporters with a great experience and to communicate with every support in the best way.
At Winston’s Wish, our work is only made possible thanks to the generosity of our supporters – so it is important that our fundraising efforts are as effective as they can be. By developing a better understanding of our supporters’ interests, preferences and level of potential donations through researching them on publicly available sources we can tailor our fundraising communications to those most likely to be interested in them. We use websites such as corporate websites, public social media accounts, the Electoral Register and Companies House to get a fuller understanding of someone’s interests and capacity to support the charity.
We use the information that staff provide us to ensure that we can meet our legal obligations as an employer and for administrative purposes. For volunteers, we use personal data for administrative purposes. In both cases, we also use personal data to ensure we comply with safeguarding legislation and our obligations there. This includes ensuring our vetting and barring checks are done in accordance with DBS legislation and best practice.
In some instances we need to record personal data to meet our legal obligations (for example we need to record financial transactions to comply with UK tax laws).
How long we keep your data for
We would never seek to keep your data for longer than you would think reasonable. In our GDPR and Data Protection Policy we set out a retention schedule that indicates how long we hold personal information and when it is deleted or archived.
If you would like to know how long we keep data for then please do contact us using the contact information at the top of this privacy notice.
We are registered with the Fundraising Regulator, and we follow the Fundraising Regulator’s Code of Practice – https://www.fundraisingregulator.org.uk/code-of-fundraising-practice/code-of-fundraising-practice/
If you are receiving communications from us then we will periodically ask you if you would still like to receive information from us and you are welcome to opt out at any time in line with best practice in fundraising.
Who can see your information
We take data security very seriously. Our internal systems are robust and we have invested in ensuring our data systems meet industry standards. Access to information we hold internally is restricted according to the type of data we hold and where we hold it. All personal data is processed by staff in the UK and data we hold securely on third party servers is hosted and maintained within the European Union.
For the purposes of storing or processing some of the data you provide, or providing our services to you we might pass some of your personal information to service providers e.g. Cloud-based data storage providers; HMRC or external agencies (e.g. schools, local children’s services).
We may also share your data with law enforcement agencies or statutory agencies if required.
A word about ‘Cookies’
When anyone visits our website, their IP address, browser and version, operating system and the site they came from are stored in a log file. This information is only used for statistical purposes to help improve this site. Log files do not contain any personal information. We do not use cookies for collecting personal information and we will not collect any information about you except that required for administration of the web server.
GDPR – A Summary of Your Rights
The Information Commissioner’s Office (ICO) has produced a summary of your rights in relation to data protection and the General Data Protection Regulation (GDPR)
If you have a concern about how we have handled or processed your data, or are unsatisfied with our response to a complaint you have raised with us then please contact the ICO – https://ico.org.uk/concerns
This privacy notice was last updated in September 2021. It is reviewed regularly.