What information we collect and why
Saving Faces collects two kinds of information about our users:
- Non- personal information we collect automatically to improve our website and measure the effectiveness of our marketing:
This includes information such as IP addresses, device type, operating system, browser, referring pages, pages accessed and files downloaded. This helps us to determine how many people use our sites, how many people visit on a regular basis, which pages are most popular and which pages are least popular. This information allows us to monitor and improve our service. IP addresses do provide us with some regional information (i.e. country and city) but they cannot be used to tell us who you are or your precise location.
- Personal information you provide to us to fulfil a request or provide a service:
The personal information we collect (if you provide it) includes your name, address, email address, telephone numbers, date of birth (where appropriate), job title, card or bank details. We collect this information only in connection with specific activities, such as participation in our research and / or audits as a patient, investigator or collaborator, processing donations and purchases, newsletter requests, Saving Faces Diagnostic Advice Service (SFDADS) membership, feedback, event participation, etc. The information is either needed to fulfil your request or to enable us to provide you with a more personalised service.
Occasionally we obtain publically available information such as contact information or we research information to help us perform due diligence checks to ensure we are not being abused by fraudsters or criminals posing as genuine donors or to ensure that there are no conflicts of interest from potential supporters or organisations prior to our engagement. We do these checks to help protect Saving Faces from abuse.
The General Data Protection Regulation ("GDPR", the new European law for data protection) recognises that certain categories of personal information are more sensitive. These are known as "special categories of data" and cover health information, race, religious beliefs and political opinions. We do not usually collect special categories of data about our supporters except for those who agree to participate in our clinical trials and audits. The handling and storing of this sensitive data strictly adheres to protocols approved by the Research Ethics Committee (REC).
For patients in the SEND study please click here.
For patients in the GRAD study please click here.
There are various levels of institutional oversight which is fully complied with. For those who contact our Expert Patient Helpline we ask for details relating to treatment and current health status in order to provide our service. This information is obtained and stored with the explicit consent of the user and they also have the right to withdraw their consent and information at any time. We also obtain written consent from our helpline volunteers to signify they are happy to have their details stored and to be contacted.
Saving Faces also runs HANA – the National Head and Neck Cancer Audit which will improve and contribute to changes in clinical practice ensuring that patients receive the best care possible and experience an improved quality of life. In order to run HANA, we have obtained the necessary legal approvals provided by the NHS to hold patient identifiable information without the consent of patients. This is needed to find out if healthcare is being provided in line with standards and enables care providers and patients know whether their service is doing well, and where there could be improvements. We do not collect, process or store any patient level identifiable data for HANA but we do use an external clinical registry specialist called Dendrite Clinical Systems Limited to collect and process personal data on our behalf. They have the required Information Governance toolkits to handle this data securely. Data protection and privacy is an important part of HANA so no individual patient names can be identified in the results.
How the information is used
Our legal basis for using the information we collect about and from you will depend on the information concerned and the specific context in which we collected it. However, we will normally process your information for our legitimate interests, in order to enter into or perform a contract with you, with your informed consent and/or for compliance with our legal obligations. Being able to communicate with you is important. We believe in being open, honest and transparent with our supporters and want you to feel comfortable about your decision to give us your personal information and how we use it. If you have any questions concerning the legal basis on which we collect and use your personal information (including more details on our legitimate interests), please contact us using the details below or via http://savingfaces.co.uk/about-us/contact-us.
We will use the details you provide to us for the following purposes:
- provide you with the services, products or information you asked for
- administer your donation (including processing gift aid) and support your fundraising activities
- internal record keeping for compliance and legal obligations
- keep a record of your relationship with us
- ensure we know how you prefer to be contacted
- to communicate with you about how you are helping improve the lives of people affected by facial disease, injury and disfigurement and other ways you can help in the future whether that’s through volunteering, attending events or fundraising
- to provide, improve and undertake our research, audit and outreach services
- personal and special categories of data collected for research and audit purposes will be strictly used according to approved protocols
- in aggregate to profile your use of the websites and carry out research on our users' demographics, interests and behaviour to help us gain a better understanding of how our users navigate and use the websites, and to enable us to improve our service to you. Note that we will not be able to identify you as an individual for this analysis.
We promise that we will only communicate with you in the way you wish us to, will always respect your privacy and all marketing emails will contain an ‘unsubscribe’ link. We will never pass your personal information on to other organisations for them to use for their own marketing purposes. You can change your mind at any time and it’s quick and easy to let us know that you no longer want to hear from us. We will always respond to your wishes in a sensitive, timely, courteous and professional way.
Where we store your information
Given that the Internet is a global environment using it to collect and process personal data necessarily involves the transmission of data on an international basis. This means for instance that data you pass to us will be processed outside the European Economic Area to countries that may have data laws less protective than the UK, although the data will always be held securely and in line with the requirements of UK data protection legislation. Specifically, your data may be sent to our service providers in USA. Information submitted by you may be transmitted to us or stored using third party organisations such as Donor Strategy which enables us to manage our database of supporters, Zoho to manage our Expert Patient Database, Wufoo (owned by Survey Monkey) to carry out public, patient and clinician surveys, as well as the submission of registration and product order forms. However, we have taken appropriate safeguards to require that your personal information will remain protected in accordance with this Privacy Notice, namely (i) by executing agreements known as "Model Clauses" which are approved by the European Commission or (ii) because the recipient is certified under the EU-U.S. Privacy Shield.
We use external companies to collect or process personal data on our behalf such as clinical registry specialists Dendrite Clinical Systems Limited for HANA. We perform comprehensive checks on these companies before we work with them, and put a contract in place that sets out our expectations and requirements, especially regarding how they manage the personal data they have collect or have access to.
We may need to disclose your details if required to the police, regulatory bodies or legal advisors.
How we protect your information
Saving Faces is committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place appropriate physical, electronic and managerial procedures to safeguard and secure the information we collect online and by other methods. Our security and privacy policies are annually reviewed and enhanced as necessary and only authorised personnel have access to user information.
We use trusted third party services such as Virgin Money Giving and Paypal to process donations and purchases. These sites use secure server software (SSL) to encrypt financial information you input before it is sent. Please refer to their individual security policies for more information. Unfortunately, the transmission of data across the internet is not completely secure and whilst we do our best to try to protect the security of your information we cannot ensure or guarantee that loss, misuse or alteration of data will not occur whilst you or we are transferring this data. Where you or we have provided a password enabling you to access parts of our websites or use our services, it is your responsibility to keep this password confidential. Please don’t share your password with anyone.
Any matters of a confidential and sensitive nature, including in particular information relating to the diagnosis and treatment of patients, individual staff records and details of contracts, prices and terms, will not under any circumstances be divulged or passed on to any unauthorised person or persons. Information may be shared or discussed among Saving Faces staff only if necessary for the provision of services. All Saving Faces staff are contractually obliged to abide by the charity’s security policy and legally required to abide by the Data Protection Act 1998 and, from 25 May 2018, the GDPR. Breaches in confidentiality are treated as serious and may result in the termination of member(s) of staff responsible.
Controlling your personal information
Under the GDPR you have the following rights:
- The right to access your personal information and request a copy
- The right to edit and update your personal information
- The right to request to have your personal information deleted
- The right to restrict processing of your personal information
- The right to object to data processing
- The right to have your data ported to another provider
- The right to lodge a complaint with a supervisory authority (for the UK this is the Information Commissioner's Office https://ico.org.uk/
- You have a right to obtain confirmation that your personal information is being processed
Should you wish to exercise these rights we require you to prove your identity with two pieces of approved identification.
Keeping your personal information
We keep your personal information for as long as we have an ongoing business need to (for example as required in accordance with legal requirements and tax and accounting rules). Where your information is no longer required, we will ensure it is disposed of in a secure manner.
Using our social media pages
Whilst this statement covers our privacy practices and how we will use any data collected from our websites and social media pages on sites like Facebook, Twitter, YouTube etc. it doesn’t cover how providers of social media websites will use your information. You should read the social media site’s privacy policies before adding any content to our social media pages. Make use of the social media site privacy settings and reporting mechanisms to control the way that your information is handled.
Posting content on our websites and social media pages
Any communications sent via our websites is private and viewable by authorised personnel only (i.e. SF staff). Please note that the same does not apply to our social media pages where information is public will appear instantly. While we do monitor these sites for inappropriate content it is not possible to moderate them in real time. So if you post comments about other people it is not only your privacy that is at stake. Protect your friends’ privacy and reputations. Be careful about uploading any content that may show you or your friends in compromising situations and be aware that other users may abuse the content you have provided.
Please don’t provide information about yourself or other people unless you are sure you and they are happy to have it made public. In particular, don’t provide any information about others without their consent where that information might identify them, such as:
- tagged photos
Under no circumstances make public other peoples’ home address, email addresses or contact numbers.
If you have any queries about this policy or your personal information please contact: The Data Protection Officer Saving Faces First Floor Grove Building Mile End Hospital 275 Bancroft Road London E1 4DG
Phone: 020 8223 8049
We may make changes to this Policy from time to time. We will inform users individually in advance of any material changes to ensure that you have notice of the updates and so that you have the opportunity to object / withdraw consent.