St. Piers School and College is part of Young Epilepsy. Young Epilepsy is the operating name of The National Centre for Young People with Epilepsy Charitable Trust - Registered Charity number 311877 (England and Wales).
This privacy notice is intended to inform you how Young Epilepsy (and St Piers School and College) will use your personal data. Please note that additional information is available for specific groups, such as parents, students and staff.
You can also find specific privacy policies and procedures on our policy page by clicking here
Information governance standards
Please find below details of the standards Young Epilepsy (and St Piers School and College) meets when using personal data
Data Protection
Young Epilepsy (and St Piers School and College) endeavours to meet the highest standards when collecting and using personal information. We are are committed to upholding the standards and regulations embodied in the Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR). Personal data will therefore at all times be:-
- Processed lawfully, fairly and in a transparent manner;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and, where necessary, kept up to date;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
- Processed in a manner that ensures appropriate security.
Young Epilepsy (and St Piers School and College) will furthermore:-
- Be responsible for and be able to demonstrate compliance with the DPA 2018 and the UK GDPR.
Young Epilepsy is registered with the Information Commissioner’s Office under our legal name of the National Centre for Young People with Epilepsy. Our registration number is Z5611618.
Individual Rights
Under the DPA 2018 and the UK GDPR you have the right to:
- Be informed (the purpose of this Privacy Notice);
- Access your information;
- Rectify inaccurate or incomplete data;
- Request the erasure of your information;
- Restrict how your data is processed;
- To object to the use of your information;
- Certain protections when your data is used for automated decision making and profiling.
There is an additional right with regard to data portability, but Young Epilepsy (and St Piers School and College) will not undertake data portability.
Should you wish to exercise any of these rights please use the contact details below.
Caldicott Principles statement
At Young Epilepsy (and St Piers School and College) we apply the Caldicott Principles, so that every flow of identifiable confidential information is regularly justified and routinely tested against the principles developed in the Caldicott Report.
Principle 1 Justify the purpose(s) for using confidential information
Principle 2 Only use it when absolutely necessary
Principle 3 Use the minimum that is required
Principle 4 Access should be on a strict need-to-know basis
Principle 5 Everyone must understand his or her responsibilities
Principle 6 Understand and comply with the law
Principle 7 The duty to share information can be as important as the duty to protect patient confidentiality
Principle 8 Inform patients and service users about how their confidential information is used
Data Security & Protection Toolkit
As an NHS Business Partner, Young Epilepsy also completes the NHS’ Data Security & Protection Toolkit, which enables organisations to measure and publish their performance against the National Data Guardian's ten Data Security Standards.
All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.
Privacy & Electronic Communications Regulation (PECR)
As part of our Fundraising and External Relationships activities Young Epilepsy (and St Piers School and College) also complies with the standards of the PECR. These include a commitment not to contact you electronically for marketing purposes without your consent.
Telephone, mailing and fundraising preference services
Young Epilepsy (and St Piers School and College) adheres to these preference services and will not contact an individual who is recorded on these as not wishing to receive contact either by phone or post or who simply does not wish to be contacted by any charitable body.
Contacts
Please contact us if you:
- Have any queries or concerns about the use of your personal data, as outlined in this document;
- Wish to exercise one of your Data Protection rights;
- Need to correct or update any information we hold about you;
- Wish us to stop using your information or to change your contact preferences (please note that these changes may take 30 days to have effect).
Please contact the Supporter Engagement team:
Supporter Care supportercare@youngepilepsy.org.uk
Data Protection dpo@youngepilepsy.org.uk
Both of the above can also be contacted through the main Young Epilepsy (and St Piers School and College) switchboard on 01342 832243.
Please note that should you be unhappy about the way we implement data protection you have the right to lodge a complaint with the Information Commissioner’s Office https://ico.org.uk/
Amendments
We may update this privacy notice from time-to-time by posting a new version on our website. You should occasionally check these pages to ensure you are aware of the changes. For more information about how the privacy notice is changed please contact us using the details provided in this document.
Privacy notice
Information kept by Young Epilepsy (and St Piers School and College)
Young Epilepsy (and St Piers School and College) may keep the following personal data[1] and special category data[2] about you that includes but is not limited to:
- Personal information, such as your name, contact details, date of birth, ethnicity, gender identity etc.;
- Health information, such as information you may provide on your relationship to epilepsy, any medication you may take and any other medical conditions you may have;
- Information you may share with us in activities, such as consultations, audits , questionnaires, surveys and workshops
- Your views, experiences or knowledge shared at meetings, steering groups or other gatherings;
- Financial information, such as your credit card details if you have made a payment and your tax payer status if we are able to claim Gift Aid;
- Records of any research you may have participated in or research topics and areas you are most interested in;
- Any blog, vlog, interviews, photos or videos or other publicity/marketing information that you may provide us with;
- A record of your relationship with Young Epilepsy, such as of any contact you may have had with our staff teams, events you have attended etc.;
- Information we may have generated about you through our research and profiling activities;
- Who your local decision maker is;
- Information about your activities on our websites or social media platforms when you use them;
- Any other information that you may provide in conversation, by email or in other form of communication.
Please note that we may anonymise some of the data we hold on you, You will not be identifiable in these records.
Young Epilepsy (and St Piers School and College) keeps personal data in computerised, digital or hard copy filing systems. This can include the software that allows us to manage our relationships with donors and supporters, the platforms that host our sites for us and paper records maintained by our teams.The information is held in a confidential manner with limited access, in accordance with the DPA 2018 and the UK GDPR.
We are committed to ensuring that personal data is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect.
What this information is used for
Your personal information may be used in the following ways that includes but is not limited to:
- To further our charitable objectives;
- Process any donations or payments and to fulfil online orders, bookings or requests;
- Manage any event, conference or activity, when we will use the contact details you have provided, such as an email address, to provide you with all the requisite information you need to participate and, of course, to thank you afterwards;
- Respond to your requests, questions or comments;
- Guide our work as a charity, such as what topics or issues Young Epilepsy (and St Piers School and College) should campaign or provide support on;
- Ensure the Health & safety of anyone attending a Young Epilepsy (and St Piers School and College) event, which may involve holding health data such as details about your Covid-19 status;
- Regularly keep in contact with you and send you communications on areas that you have known interest in and on other work and activities which we think may be of interest to you;
- Fundraising or Direct Marketing
- Maintain our websites, platforms and social media, including monitoring use, data analysis and statistics;
- Provide or administer services, such as newsletters, surveys, financial appeals, or training materials;
- Provide you with information about Young Epilepsy (and St Piers School and College), such as fundraising opportunities, the impact of our work, updates on our services, or other information that we feel may be of interest to you;
- Inform you of new epilepsy related developments, policy or campaigns;
- Generate reports on our work and activities;
- Conduct due diligence;
- Maintain our organisational records;
- Identify potential supporters, donors and activists;
- Ensure you are on the correct and most age-appropriate mailing list(s) and that we have parental consent where required by law;
- Publicise and promote Young Epilepsy (and St Piers School and College) and our activities;
- Meet our legal and regulatory obligations;
- Establish, defend or enforce legal cases;
- Invite you to specific tasks and events that we think will be of interest to you and to send reminders about these;
- Respond to any legacy bequests we may receive;
- Send you formal email invitations from the Young Epilepsy research unit members and Epilepsy Research UK paediatric epilepsy grantees;
- Contact and consult you on the design and management of research and other Young Epilepsy (and St Piers School and College) activities;
- Undertake data profiling and research
- Use information you have provided in consultations and surveys to identify areas of Young Epilepsy (and St Piers School and College) activity that you are interested in and be used to provide feedback to the relevant Young Epilepsy (and St Piers School and College) staff team.
Source of the personal data
Primarily the information will have been provided by you to one of our employees, representatives, or agencies through any of the following means: -
- Digital contact, such as by email, through social media or other digital method of communication ;
- Phone chat/interview;
- Virtual meeting, such as on Teams or Zoom, which, if appropriate, we may record;
- Or in person at a meeting;
- When you engage with Young Epilepsy (and St Piers School and College), for example, when you register or attend one of our events or activities, make a donation or purchase, participate in a campaign or fundraising activity, volunteer, register to use our services, provide feedback or make a complaint or otherwise engage with Young Epilepsy (and St Piers School and College) staff, representatives or agencies;
- Use of our website (please refer to our Cookies policy for further details).
Data profiling and research
As a result of providing us with the information above we may in turn use this to generate further information about you, such as through the use of data profiling and research. This may result in us holding additional information such as your job role, philanthropic activity
Publicly available information
We may use publicly available information, such as charity websites, social media, the electoral register etc. in order to expand upon the information you have provided us with.
Social media
If your privacy settings on social media allow, we may access information about you from sites such as Facebook, WhatsApp and Twitter, should you, for example, publicly tag us in a photo. . The information we receive will depend on the privacy settings you have on set on each platform and the policies relevant to each platform. To change these settings please refer to their privacy notices.
Methods of contact
We use a variety of methods to contact you including:
- Electronic communications, such as emails, texts etc., marketing material will only be sent to you by these means if you have consented to this;
- Post, which enables us to contact a wide range of individuals and is an easy way to keep you updated. It allows you to stay informed, donate and get involved in your own time and in a way which is not intrusive for you.
- Telephone;
- Social media, such as Facebook, LinkedIn, Twitter and Instagram. We do this through advertising on your social media or through posting messages and information on our own social media pages which you may choose to “like”, “follow” or interact with.
If you want to change the method, we use to contact you then please follow the instructions in the communication you have received or contact the relevant staff team using the details provided earlier. If you no longer wish to be contacted by us use the word “unsubscribe” in the subject field of an email.(Please note that this change may take up to 30 days to come into effect.)
Sharing information
Young Epilepsy (and St Piers School and College) does not routinely share information with third parties, except as outlined below. Where we may wish to share the information more widely, we will either seek your consent to do so or anonymise the data, so that you are not identifiable.
Complaints/Reviews
Records may also be accessed by independent reviewers, such as when a complaint or other issue is independently investigated.
Data Processors
We use data processors, this is an organisation responsible for processing personal data on behalf of Young Epilepsy (and St Piers School and College). It does so under strict instruction from us and our contract ensures that the standards required by Young Epilepsy 9and St Piers School and College), the DPA 2018 and the UK GDPR are upheld at all times.
Examples of data processor are the companies that provides the software that allows us to manage our relationships with donors and supporters, that manage our financial merchandise sales and donations and that runs any platform on which Young Epilepsy (and St Piers School and College) internet pages/sites may be located. Whilst these may be overseas our contract ensures UK standards are applied.
The growth in cloud technology means that it is likely that the use of data processors will become more common. If you wish to know who our current data processors are please contact us using the contact details provided earlier.
Inspections
Young Epilepsy (and St Piers School and College) is subject to a number of regulatory standards, such as the Care Quality Commission, Information Commissioner’s Office, Fundraising Regulator etc. and may therefore allow its records to be inspected as part of that process, to ensure that Young Epilepsy (and St Piers School and College) is meeting the necessary standards. Inspectors will be given access to records but only provided with copies in exceptional circumstances, for example if a safeguarding concern is identified.
Legal obligation
We are legally obliged to share certain information and, in such cases, will not seek your consent to do so. For example, if safeguarding concerns were raised these must be disclosed to the relevant organisations and individuals.
Marketing and publicity material
If you provide us with information such as your story, photograph, blogs, vlogs or other publicity material, then this may be used :-
- In our corporate material such as reports and fundraising materials;
- On our social media, such Facebook, Twitter, Flikr and Instagram;
- On Young Epilepsy websites/ platforms, such as The Channel, YouTube etc.;
- On the radio, TV and in the newspapers or magazines, who may put it on their own websites.
These uses will mean that your information may be viewed by many people. If it is put on websites, webpages or social media then anyone with access to the internet will be able to access it. On occasion, we may only use your first name in such materials, but it may still be possible to identify you, for example if there is other information about you on our website, for example if you are a Young Supporter or Rep.
Retention of records
All records are retained in accordance with the Young Epilepsy’s (and St Piers School and College) Retention Schedules, please refer to these for information on our current retention periods.
How long we retain records for is determined by the purpose for which we hold them. This includes complying with our regulatory and statutory obligations, such as the guidance issued by the ICO, Fundraising Regulator, the Statute of Limitations etc. For example, information relating to donations, purchases, gift aid and other financial matters will be retained for at least seven years, as required by HMRC.
Our policy is to not keep records for more than seven years after last contact. If you have requested us to not to send you any marketing materials then we will add your name and contact details to a suppression list, which will be retained for a longer time to ensure we do not inadvertently contact you.
We never store payment card details after a transaction has been completed
If your details have been used for promotional purposes then these materials will be in use for much longer. For example, once something is on the internet it is very difficult to completely remove it.
If you have participated in any research projects, the information we will kept for the time specified in that research project.
Websites and platforms
Information provided to our websites and platforms, such as comments you may have made or blogs/vlogs you have uploaded, will be kept on the site/ platform for at least seven years. This is because it is important to evidence past as well as current campaigns.
Historic records
In exceptional circumstances some records may be retained for longer than the usual retention period where these form part of Young Epilepsy’s(and St Piers School and College) historic archive.
Secure destruction
Personal information that we no longer need is either securely destroyed/deleted and/or anonymised so that you can no longer be identified from it.
Lawful basis
The DPA 2018 and the UK GDPR require us to have a lawful basis for processing your data and these are outlined below
Consent/Explicit consent
Any information you provide to our staff teams is processed on the basis that its provision indicates explicit consent for us to process it as outlined above. For example, if you sign up to a fundraising event, then we shall view this as your consent for us to use your personal data as outlined above.
Furthermore, digital communications will only be sent to you if you have consented to this method of communication. This consent will apply for approximately three years after your last contact with us unless we hear otherwise from you. We’ll check in with you regularly (approximately every three years) to make sure you haven't changed your mind. If we do not receive a response, we shall assume you do not wish to hear from Young Epilepsy (and St Piers School and College) by email or telephone and will not contact you again, by these means, until you inform us otherwise.
Where we are holding special category data, relating, for example, to your health, we do so because you have provided your explicit consent. This might be obtained via a formal consent form or because you have voluntarily provided us with this information, having been given this privacy notice.
If your personal data is to be used for campaign or publicity purposes, such as with a content piece, vlog or blog then your consent will be sought in a formal consent form, provided by the staff team that you are working with.
Contract
If we have a contractual relationship with you, for example relating to merchandise or items you may have purchased from us, then we are required to maintain these records.
Historic value
Young Epilepsy (and St Piers School and College) is an important and specialist charity that dates back over 125 years, so some records, are permanently preserved for their historic value. For example, if your photo is on one of our publications, then that document may be permanently retained.
Legal claims and obligations
Where the processing is necessary to establish, defend or exercise legal claims or where ordered by a court or tribunal.
Legal and regulatory requirements
Young Epilepsy (and St Piers School and College) complies with other regulatory and legislative requirements, which may also provide a lawful basis for us using and retaining your data, such as the requirement to keep financial records for seven years and to comply with the Statute of Limitation.
Legitimate Interests
We believe it is in the legitimate interest of both you and Young Epilepsy (and St Piers School and College) for our staff teams to use your data as outlined above, for example for posting you marketing material or other material, which we think may be of interest to you.
We also use legitimate interests as our lawful basis for contacting businesses who we think may wish to support Young Epilepsy (and St Piers School and College). These contacts will be addressed to people who we think have responsibility within the business for donations/support.
We believe that it is in Young Epilepsy’s (and St Piers School and College) legitimate interests to circulate relevant information as widely as possible and we do not believe that this overrides your interests, rights or freedoms. If you think otherwise, please let us know and we will stop communicating with you on this basis.
Public Interest
Where the processing meets one of the 23 conditions set out in Schedule One, paragraphs 6-28 of the DPA 2018
Public health
Where the processing is necessary for public health monitoring and statistics; or responding to new threats to public health, such as epidemics/pandemics.
Approved by the Director of Fundraising & External Engagement, August 2022
You can also find specific privacy policies and procedures on our policy page by clicking here
[1] Personal data is any information relating to an identified or identifiable natural person (‘data subject’)
[2] Special categories of personal data are personal data that reveal an individual’s: racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; It is also: the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person; data concerning health; or data concerning a natural person’s sex life or sexual orientation