Saving Faces Privacy Notice
Who we are
In this Privacy Notice, “Saving Faces”, “SF”, “we”, or “our” means Saving Faces – The Facial Surgery Research Foundation. We are the data controller.
What information we collect and why
Saving Faces collects two kinds of information about our users:
- Non- personal information we collect automatically to improve our website and measure the effectiveness of our marketing:
This includes information such as IP addresses, device type, operating system, browser, referring pages, pages accessed and files downloaded. This helps us to determine how many people use our sites, how many people visit on a regular basis, which pages are most popular and which pages are least popular. This information allows us to monitor and improve our service. IP addresses do provide us with some regional information (i.e. country and city) but they cannot be used to tell us who you are or your precise location.
- Personal information you provide to us to fulfil a request or provide a service:
The personal information we collect (if you provide it) includes your name, address, email address, telephone numbers, date of birth (where appropriate), job title, card or bank details. We collect this information only in connection with specific activities, such as participation in our research and / or audits as a patient, investigator or collaborator, processing donations and purchases, newsletter requests, Saving Faces Diagnostic Advice Service (SFDADS) membership, feedback, event participation, etc. The information is either needed to fulfil your request or to enable us to provide you with a more personalised service.
Occasionally we obtain publically available information such as contact information or we research information to help us perform due diligence checks to ensure we are not being abused by fraudsters or criminals posing as genuine donors or to ensure that there are no conflicts of interest from potential supporters or organisations prior to our engagement. We do these checks to help protect Saving Faces from abuse.
The General Data Protection Regulation (“GDPR”, the new European law for data protection) recognises that certain categories of personal information are more sensitive. These are known as “special categories of data” and cover health information, race, religious beliefs and political opinions. We do not usually collect special categories of data about our supporters unless there is a clear reason for us to do so and may collect this type of information if you make it public or volunteer it to us. We usually collect health information for those who agree to participate in our clinical trials and audits, or for those using our services. The handling and storing of sensitive data for clinical trials strictly adheres to protocols approved by the Research Ethics Committee (REC).
Wherever it is practical for us to do so, we will make clear why we are collecting this type of information and what it will be used for.
For more detailed information about specific projects or services, please see the links below.
For patients in the SEND study please click here.
For patients in the GRAD study please click here.
For more information on how Saving Faces manages the Expert Patient Helpline, please click here.
There are various levels of institutional oversight which is fully complied with. For those who contact our Expert Patient Helpline we ask for details relating to treatment and current health status in order to provide our service. This information is obtained and stored with the explicit consent of the user and they also have the right to withdraw their consent and information at any time. We also obtain written consent from our helpline volunteers to signify they are happy to have their details stored and to be contacted.
Saving Faces also runs HANA – the National Head and Neck Cancer Audit which will improve and contribute to changes in clinical practice ensuring that patients receive the best care possible and experience an improved quality of life. In order to run HANA, we have obtained the necessary legal approvals provided by the NHS to hold patient identifiable information without the consent of patients. This is needed to find out if healthcare is being provided in line with standards and enables care providers and patients know whether their service is doing well, and where there could be improvements. We do not collect, process or store any patient level identifiable data for HANA but we do use an external clinical registry specialist called Dendrite Clinical Systems Limited to collect and process personal data on our behalf. They have the required Information Governance toolkits to handle this data securely. Data protection and privacy is an important part of HANA so no individual patient names can be identified in the results.
For more information on how HANA manages patient data, please click here.
How the information is used
We will use the details you provide to us for the following purposes:
- provide you with the services, products or information you asked for
- administer your donation (including processing gift aid) and support your fundraising activities
- internal record keeping for compliance and legal obligations
- keep a record of your relationship with us
- ensure we know how you prefer to be contacted
- to communicate with you about how you are helping improve the lives of people affected by facial disease, injury and disfigurement and other ways you can help in the future whether that’s through volunteering, attending events or fundraising
- to provide, improve and undertake our research, audit and outreach services
- personal and special categories of data collected for research and audit purposes will be strictly used according to approved protocols
- in aggregate to profile your use of the websites and carry out research on our users’ demographics, interests and behaviour to help us gain a better understanding of how our users navigate and use the websites, and to enable us to improve our service to you. Note that we will not be able to identify you as an individual for this analysis.
We promise that we will only communicate with you in the way you wish us to, will always respect your privacy and all marketing emails will contain an ‘unsubscribe’ link. We will never pass your personal information on to other organisations for them to use for their own marketing purposes. You can change your mind at any time and it’s quick and easy to let us know that you no longer want to hear from us. We will always respond to your wishes in a sensitive, timely, courteous and professional way.
Legal basis for processing
Data protection laws mean that each use we make of personal information must have a “legal basis”. The relevant legal bases are set out in the General Data Protection Regulation (EU Regulation 2016/679) and in current UK data protection legislation.
- Specific consent
Consent is where we ask you if we can use your information in a certain way, and you agree to this (for example when we send you marketing material via post, phone, text or e-mail). Where we use your information for a purpose based on consent, you have the right to withdraw consent for any future use of your information for this purpose at any time.
- Legal obligation
We have a basis to use your personal information where we need to do so to comply with one of our legal or regulatory obligations. For example, in some cases we may need to share your information with our various regulators such as the Charity Commission, Fundraising Regulator, Information Commissioner, or to use information we collect about you for due diligence or ethical screening purposes.
- Performance of a contract / take steps at your request to prepare for entry into a contract
We have a basis to use your personal information where we are entering into a contract with you or performing our obligations under that contract. Examples of this would be if you are buying something from us (for instance some branded merchandise or an event place), applying to work/volunteer with us, or being funded to undertake research.
- Vital interests
We have a basis to use your personal information where it is necessary for us to protect life or health. For instance if there were to be an emergency impacting individuals at one of our events, or a safeguarding issue which required us to contact people unexpectedly or share their information with emergency services.
- Legitimate interests
We have a basis to use your personal information if it is reasonably necessary for us (or others) to do so and in our/their “legitimate interests” (provided that what the information is used for is fair and does not unduly impact your rights).
We consider our legitimate interests to include all of the day-to-day activities Saving Faces carries out with personal information. Some examples not mentioned under the other bases above where we are relying on legitimate interests are:
- use of personal information when we are monitoring use of our website or apps for technical purposes;
- use of personal information to administer, review and keep an internal record of the people we work with, including supporters, volunteers and researchers;
- sharing of personal information between relevant teams and committees within Saving Faces;
- where you have signed up with us on a charity place for a third party event (for example a sponsored run not organised by Saving Faces), sharing personal information with the third party event organiser so they can administer the event.
We only rely on legitimate interests where we consider that any potential impact on you (positive and negative), how intrusive it is from a privacy perspective and your rights under data protection laws do not override our (or others’) interests in us using your information in this way.
When we use special category personal data (please see the “Special Categories” section above), we require an additional legal basis to do so under data protection laws, so will either do so on the basis of your explicit consent or another route available to us at law for using this type of information (for example if you have made the information manifestly public, we need to process it for employment, social security or social protection law purposes, your vital interests, or, in some cases, if it is in the public interest for us to do so).
Who we share your information with
We will never sell or rent your information to third parties for marketing purposes.
We may disclose your information to third parties in connection with the other purposes set out in this policy. These third parties may include:
- business partners, suppliers and sub-contractors who may process information on our behalf
- if you are a researcher, volunteer advisory panels, any joint funders of research, host institutions and external members of our committees
- if you are a legacy giver, we may share information with co-beneficiaries
- advertisers and advertising networks
- analytics and search engine providers
- IT service providers
Where we are under a legal or regulatory duty to do so, we may disclose your details to the police, regulatory bodies such as HMRC or legal advisors, and/or, where we consider this necessary, to protect the rights, property or safety of Saving Faces, its personnel, visitors, users or others.
Where we store your information
Given that the Internet is a global environment using it to collect and process personal data necessarily involves the transmission of data on an international basis. This means for instance that data you pass to us will be processed outside the European Economic Area to countries that may have data laws less protective than the UK, although the data will always be held securely and in line with the requirements of UK data protection legislation. Specifically, your data may be sent to our service providers in USA. Information submitted by you may be transmitted to us or stored using third party organisations such as Donor Strategy which enables us to manage our database of supporters, Zoho to manage our Expert Patient Database, Wufoo (owned by Survey Monkey) to carry out public, patient and clinician surveys, as well as the submission of registration and product order forms. However, we have taken appropriate safeguards to require that your personal information will remain protected in accordance with this Privacy Notice, namely (i) by executing agreements known as “Model Clauses” which are approved by the European Commission or (ii) because the recipient is certified under the EU-U.S. Privacy Shield.
We use external companies to collect or process personal data on our behalf such as clinical registry specialists Dendrite Clinical Systems Limited for HANA. We perform comprehensive checks on these companies before we work with them, and put a contract in place that sets out our expectations and requirements, especially regarding how they manage the personal data they have collect or have access to.
We may need to disclose your details if required to the police, regulatory bodies or legal advisors.
How we protect your information
Saving Faces is committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place appropriate physical, electronic and managerial procedures to safeguard and secure the information we collect online and by other methods. Our security and privacy policies are annually reviewed and enhanced as necessary and only authorised personnel have access to user information.
We use trusted third party services such as Just Giving and Paypal to process donations and purchases. These sites use secure server software (SSL) to encrypt financial information you input before it is sent. Please refer to their individual security policies for more information. Unfortunately, the transmission of data across the internet is not completely secure and whilst we do our best to try to protect the security of your information we cannot ensure or guarantee that loss, misuse or alteration of data will not occur whilst you or we are transferring this data. Where you or we have provided a password enabling you to access parts of our websites or use our services, it is your responsibility to keep this password confidential. Please don’t share your password with anyone.
Any matters of a confidential and sensitive nature, including in particular information relating to the diagnosis and treatment of patients, individual staff records and details of contracts, prices and terms, will not under any circumstances be divulged or passed on to any unauthorised person or persons. Information may be shared or discussed among Saving Faces staff only if necessary for the provision of services. All Saving Faces staff are contractually obliged to abide by the charity’s security policy and legally required to abide by the Data Protection Act 1998 and, from 25 May 2018, the GDPR. Breaches in confidentiality are treated as serious and may result in the termination of member(s) of staff responsible.
Controlling your personal information
Under the GDPR you have the following rights:
- The right to access your personal information and request a copy
- The right to edit and update your personal information
- The right to request to have your personal information deleted
- The right to restrict processing of your personal information
- The right to object to data processing
- The right to have your data ported to another provider
- The right to lodge a complaint with a supervisory authority (for the UK this is the Information Commissioner’s Office https://ico.org.uk/)
- You have a right to obtain confirmation that your personal information is being processed
Should you wish to exercise these rights we require you to prove your identity with two pieces of approved identification.
If you believe that any information we are holding on you is incorrect or incomplete, please call, write to or email us as soon as possible. We will promptly correct any information found to be incorrect. If you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by writing to us or emailing us at firstname.lastname@example.org or call 020 3417 7757.
If you would like to complain about how we have dealt with your request, please contact:
Information Commissioner’s Office
Keeping your personal information
We keep your personal information for as long as we have an ongoing business need to (for example as required in accordance with legal requirements and tax and accounting rules). Where your information is no longer required, we will ensure it is disposed of in a secure manner.
Using our social media pages
Whilst this statement covers our privacy practices and how we will use any data collected from our websites and social media pages on sites like Facebook, Twitter, YouTube etc. it doesn’t cover how providers of social media websites will use your information. You should read the social media site’s privacy policies before adding any content to our social media pages. Make use of the social media site privacy settings and reporting mechanisms to control the way that your information is handled.
Posting content on our websites and social media pages
Any communications sent via our websites is private and viewable by authorised personnel only (i.e. SF staff). Please note that the same does not apply to our social media pages where information is public will appear instantly. While we do monitor these sites for inappropriate content it is not possible to moderate them in real time. So if you post comments about other people it is not only your privacy that is at stake. Protect your friends’ privacy and reputations. Be careful about uploading any content that may show you or your friends in compromising situations and be aware that other users may abuse the content you have provided.
Please don’t provide information about yourself or other people unless you are sure you and they are happy to have it made public. In particular, don’t provide any information about others without their consent where that information might identify them, such as:
- tagged photos
Under no circumstances make public other peoples’ home address, email addresses or contact numbers.
If you have any queries about this policy or your personal information please contact: The Data Protection Officer, Saving Faces, 71 Tonbridge Street, Kings Cross, London, WC1H 9DZ
Phone: 020 3417 7757
We may make changes to this Policy from time to time. If we make any significant changes in the way we treat your personal information we will make this clear on the Saving Faces website or by contacting you directly to ensure that you have notice of the updates and so that you have the opportunity to object / withdraw consent.