This privacy notice explains when and why we collect personal information about you, how we use your information and the conditions under which we may disclose it to others. Your personal data is defined as any information that can be directly or indirectly identify you. This notice also explains how we keep your data safe and secure and includes information you need to know about your rights and how to exercise them.
If you have any questions regarding our privacy notice and our use of your personal data or you would like to exercise any of your rights, please get in touch via the following information:
- Email us: info@urostomyassociation.org.uk
- Telephone us: 01386 430140
- Write to us:
Data Protection Enquiry
Urostomy Association
Office 205
No 9 Journey Campus
Castle Park
Cambridge
CB3 0AX
United Kingdom
If you are unhappy with the way we process your data, you can also make a complaint to the Information Commissioner’s Officer (ICO) which regulates the use of information in the UK. They can be contacted by:
- Telephone: 0303 123 1113
- Send a letter in the post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF
- Or by going online to: https://ico.org.uk/make-a-complaint/
If you are based outside of the UK, the complaint should be directed to the relevant data protection supervisory authority in that country.
Who are we?
In this notice, Urostomy Association, ‘we’, ‘us’, ‘our’ means charity number 1131072. We are a data controller; this means that the Urostomy Association decides how your personal data is processed and for what purposes.
How do we process your personal data?
The Urostomy Association complies with its obligations under UK data protection laws by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure, and by ensuring that appropriate technical measures are in place to protect personal data.
We use your personal data for the following purposes:
- To enable us to provide a voluntary service for the benefit of our members
- To administer membership records
- To fundraise and promote the mission of the Urostomy Association
- To manage our employees and volunteers
- To maintain our own statutory accounts and records (including the processing of Gift Aid applications).
- To inform you of the Urostomy Association’s news, events, activities and services.
What is the legal basis for processing your personal data?
Explicit Consent
Your explicit consent so that we can keep you informed about news, events, activities and services, and process your Gift Aid and other donations.
Processing is necessary for carrying out obligations under employment, social security, safeguarding or social protection law, or a collective agreement.
Processing can be carried out by us as a not-for-profit body provided:
the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes); and there is no disclosure to a third party without consent.
Legal Obligation
We will use this condition to process personal information where we are required by law.
Legitimate Interests
Where it is necessary, to achieve our and others’ objectives as an organisation with good reason as long as we can demonstrate that the use is fair and with your reasonable expectations. This might include but is not limited to:
To send you communications through the post which we believe might be of interest to you.
To personalise, enhance or modify and improve our services and communications to you to benefit our customers
To understand how people interact with our website, the effectiveness of our services, our promotional and marketing campaigns, and our advertising.
Whenever we use Legitimate Interest to process data, we perform a Legitimate Interest Balancing Test (LIA) to enable us to consider any potential impact on you (both positive and negative, and your rights under data protection laws. Your information will not be processed if our interests as an organisation override your fundamental rights and freedoms according to the law.
Performance of a contract
Where we are entering into a contract with you, for example, where you may purchase a ticket to an event we have organised.
Vital interests
Where it is necessary to protect your life or your health. An example would be in the case of a medical emergency by an individual attending one of our events.
Where do we store your data?
Your data is secured in our secure cloud servers Dropbox and Microsoft Office365, our network is protected and routinely monitored. We also may store your data in paper forms, they will be kept in secure areas such as locked cabinets.
Sharing your personal data
Your personal data will only be shared within the Urostomy Association (e.g., between the National Office and a Branch Secretary) in order to carry out a service to other members of the Association or for purposes connected with the Association, and only with members’ consent.
We will not share data with third parties outside the Urostomy Association without members’ consent.
Transferring your information outside of the United Kingdom.
We use organisations to support our cloud storage:
Dropbox – the data centres are in the United States. We have performed a balancing test to identify the risks that may be caused when using Dropbox and have identified a low risk. Dropbox have proved a high standard in availability and performance, and it is apparent that security is one of their top priorities. We review this decision regularly.
Microsoft Office 365 – cloud tenants are defaulted to Geo based on the country of the billing address associated with that tenant’s first subscription. The data will be stored in either of the three centres located in the UK which are Durham, London or Cardiff. We have performed a balancing test to identify the risks that may be caused when using Office 365 and have identified a low risk. Office 365 have proved a high standard in availability and performance, and security is their top priority. We review this decision regularly.
When data is transferred outside of the UK, appropriate safeguards are in place to ensure adequate levels of security are in place and are in accordance with data protection laws.
What type of information is collected from you?
The personal information we collect, store and use might include:
- Your name, contact details including postal address, email address and telephone number.
- Your date of birth
- Your bank or credit card details if you make a donation or purchase.
- If we are providing a service to you, we may need to collect certain types of special category data such as your ethnicity, gender and disability.
Data protection laws recognises certain categories of personal information as sensitive or special categories of data and therefore requiring greater protection. For example, information about your health, religion, sex life or sexual orientation.
We do not collect sensitive data about you unless there is a clear and valid reason for doing so and data protection laws allow us.
Social Media
For social media, your data privacy agreement is with the relevant companies and not the Urostomy Association. However, please be assured that we use these media strictly in accordance with their terms and conditions and will never use or share any information about you that we may receive through your use of them.
How long do we keep your personal data?
We retain membership data while it is still current, and Gift Aid declarations and associated paperwork for up to seven years after the calendar year to which they relate. The length of time we keep your information for is determined upon our legal and operational considerations. For example, we are legally required to hold certain types of information to fulfil statutory and regulatory obligations (e.g., employment law, health and safety and tax/accounting purposes).
Your rights and your personal data
Unless subject to an exemption under the UK GDPR, you have the following rights with respect to your personal data:
Right to be informed
You have the right to be informed as to how we use your data and under what lawful basis we carry out any processing.
Right to object
You can object to processing where we are using your personal information such as where it is based on legitimate interests or for direct marketing.
Inaccurate personal information corrected
Inaccurate or incomplete information we hold about you can be corrected. The accuracy of your information is important to us, and we are working on ways to make this easier for you to review and correct the information that we hold about you. We will also carry out an annual accuracy check and contact you to ensure your information is up to date. If any information is out of date or if you are unsure of this, please get in touch through any of the contact details listed at the top of this privacy notice.
Right of erasure
You may ask us to delete some or all of your information we hold about you. Sometimes where we have a legal obligation, we cannot erase your personal data.
Right of Restriction
You have the right to restrict the processing of some or all of your personal information if there is a disagreement about its accuracy, or we are not lawfully allowed to use it.
Right to access your information
You have a right to request access to a copy of your personal information we use, why we use it, who we share it with, how long we keep it for and whenever it has been used for automated decision making. You can make a request for access free of charge and proof of identity is required.
Automated decision making
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. You have the right to question the outcome of automated decisions that may create legal effects or create a similar significant impact on you. We do not carry out automated decision making.
Portability
You can ask to provide you or a third party with some of the personal information that we hold about you in a structured, commonly used, electronic form so it can be easily transferred.
Children and Young People
We do not directly collect information from children or young people. Where appropriate, we will seek consent from a parent or legal guardian before collecting personal information about a child or young person.
Use of ‘cookies’
Like many other websites, this website uses ‘cookies’. ‘Cookie’ is a name for a small file, usually of letters and numbers, which is downloaded onto your device such as your computer, mobile phone or tablet. Cookies allow websites recognise your device so that the sites can work more efficiently, and also gather information about how you use the site.
How do we use cookies?
We use cookies to distinguish you from other users of our website. This helps is to provide you with a positive experience when you come to our website.
The cookies that we use
We use categorisation set out by the International Chamber of Commerce in their UK Cookie Guide. We use all four categories of cookies:
- Strictly necessary cookies are essential for you to move around our website and use its features.
- Performance cookies collect anonymous information about how you use our site, like which pages are visited most.
- Functionality cookies collect anonymous information that remembers choices you make to improve your experience, like your text size or location. They may also be used to provide services you have asked for such as watching a video or commenting on a blog.
- Targeting or advertising cookies collect information about your browsing habits in order to make advertising relevant to you and your interests.
This website only uses essential cookies. We do not use cookies from any third party – i.e. there are not advertising or tracking cookies used anywhere on this website.
Transferring your information outside of the United Kingdom
When data is transferred outside of the United Kingdom, appropriate safeguards are in place to ensure adequate levels of security are in place and are in accordance with data protection laws.
Further processing
If we wish to use your personal data for a new purpose not covered by this Data Privacy Notice, then we will provide you with a new notice explaining the new use before starting the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing. When we adopt new projects, we will carry out a data protection impact assessment (DPIA). This helps us identify and minimise data protection risks that may arise from the project.
Changes to this policy
Any changes we may make to this policy in the future will be posted on this website so please check this page occasionally to ensure that you’re happy with any changes. If we make any significant changes, we will make this clear on our website.
We keep this notice under regular review. This policy was last updated 4th January, 2024.