Date published: 16 December 2021
At PSC Support, we respect your privacy and take great care with personal information we hold about you. Personal information means information that can be used to identify you, such as your name, email address or phone number.
This policy sets out how we collect and handle information about you when you visit our website (www.pscsupport.org.uk), use our services, purchase or order a product or subscribe to our news bulletins. We are concerned about protecting the privacy of young people and do not knowingly collect personal information from anyone under the age of 16.
1. Who we are
We’re PSC Support, the UK-based charity dedicated to improving the lives of people affected by primary sclerosing cholangitis (PSC). PSC Support is a charitable incorporated organisation (CIO) (registered charity number 1175427). PSC Support was previously registered with the Charity Commission as an unincorporated association (registered charity number 1115615).
PSC Support is the controller and responsible for your personal data.
2. Your rights under data protection laws
Under data protection laws, you have a number of rights relating to data protection which can be found on the Information Commissioner’s Office website: https://ico.org.uk/for-the-public/personal-information/, and these are set out briefly as follows:
You have the right to:
Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
- If you want us to establish the data's accuracy.
- Where our use of the data is unlawful but you do not want us to erase it.
- Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
- You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
If you wish to exercise any of the rights set out above, please contact us.
3. How to get in touch with us
You can get in touch about personal information we hold about you, to raise any queries you may have about this policy or exercise any of your rights by contacting Martine Walmsley, Chair of Trustees of PSC Support:
- by email: firstname.lastname@example.org;
- by phone: 01235 25 35 45; or
- by writing to PSC Support, Unit 23056, PO Box 4336, Manchester, M61 0BW.
Please include any details that will enable us to find your relevant personal information. We may ask you to provide us with proof of identity before any action is taken or information is disclosed to avoid disclosing information to an imposter. Sometimes, these rights are subject to certain conditions and limitations.
If you are unhappy with our response to a data request you have made, you may contact the Information Commissioner’s Office website: https://ico.org.uk/for-the-public/personal-information/.
4. How we collect information about you
We use different methods to collect data from and about you, including:
Direct interactions: We collect information when you interact with PSC Support by email, by phone, in person or online such as when you send us a message, tell us about your fundraising, get in touch for support, apply for research funding, buy or order a product or browse our website.
Third parties: As a small organisation, we have chosen to use trusted outsourced online services where this will provide a more secure, efficient service. We therefore collect information about you via these online services and as such they may share with us the information you have provided in accordance with their own privacy policies. These outsourced services include: the provision of email services, event management, survey management, e-commerce and payment processing.
Automated technologies or interactions: As you interact with our website, we will automatically collect data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies.
5. Looking after your information
The transmission of information over the internet is never completely secure. Although we do our best to protect your information, we cannot guarantee the security of information transmitted to our website and you do this at your own risk.
We store and process your personal information using cloud-based software. Access to your personal information is limited to volunteers, trustees or staff of PSC Support who need access for their role in the charity and appropriate security and training is put in place to avoid unauthorised sharing of information.
We will not pass on your personal information to other organisations for the purpose of direct marketing without your explicit prior consent. In certain circumstances, we will pass on your personal information to the police, regulatory bodies or legal advisors in the event of concerns regarding safeguarding or criminal activity.
Many of our external third parties are based outside the EEA so their processing of your personal data will involve a transfer of data outside the EEA.
Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see: European Commission: Adequacy of the protection of personal data in non-EU countries.
- Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see: European Commission: Model contracts for the transfer of personal data to third countries.
- We will take steps to safeguard personal data that is being internationally transferred to non-EEA countries that have not been approved by the European Commission. This includes using 'standard contractual clauses' which have been approved by the European Commission; or by gaining explicit consent from individuals whose personal data appears on our website. Please note that some countries outside of the EEA have a lower standard of protection for personal information, including lower security requirements and fewer rights for individuals.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
6. Why we process information about you
6.1 Applications for Research Funding
When an application for research funding is submitted to PSC Support, the personal information collected as part of the application may include:
- first name, surname, title;
- address, email address, telephone numbers (personal and institutional); and academic and employment history. The individuals to which this information relates may include:
- the person making the application (the “Awardholder”);
- any person working on the activity for which we are providing funding under the Awardholder’s supervision, including any co-applicant, co-investigator or collaborator, sponsor, supervisor, consultant, sub-contractor, visiting fellow, students or employee of the Recipient (the “Research Personnel”); and
- the Head of Department of the person making the application.
The majority of this information will be provided by the Awardholder as part of his/ her application.
The information collected as part of the application will be reviewed internally, and may also be shared with members of the PSC Support Expert Panel and our Scientific Review Committee. The information may also be shared with external peer reviewers in order for them to review the application.
Processing personal information in this way is necessary for the purposes of our legitimate interests, those being to administer and evaluate the application, to assess eligibility for funding, to monitor funding statistics, and to contact the Awardholder about the application.
When an application for research funding is successful
If the Awardholder’s application for funding is successful in whole or in part, in addition to the information collected as part of the application, we may collect the name and contact details of the Awardholder’s Head of Department and Recipient’s finance/grants personnel, and the following information about the Awardholder and the Research Personnel:
- Award reference, title, period and value and type;
- Research progress information; and
- Outcomes relating to the Research.
We use different methods to collect this data, including through:
- information provided by the Awardholder as part of the application and Grant Start Form;
- information provided by the Awardholder as part of the interim, final and outcome reporting.
- the following third parties:
a) the university, institution, research council or other body by which the Awardholder is employed or at whose premises some or all of the activity funded by us will be carried out (the “Recipient”);
b) Researchfish; and
c) the Research Personnel.
The information will be used internally and may also be shared with members of our Expert Panel or external peer reviewers, our Scientific Review Committee, other research organisations or funding bodies (including the Association of Medical Research Charities (AMRC) and Researchfish.
It is necessary for the purposes of our legitimate interests to process the information in this way to administer and manage the performance of the award, administer our accounting records, monitor funding statistics, measure the outcome of our awards and the impact of funding, informing our future funding plans and to collaborate with other funders and research organisations to articulate and improve research outcomes.
We may publish information (including the information contained within the “Public Research Award Information” and “Lay Summary” sections in our Award Letter and Reports, and any material about the findings or outcome of the Awardholder’s research) on our website, news bulletins, annual report, promotional material and publications.
Publicising the information in this way is necessary for the purposes of our legitimate interests in supporting and developing our fundraising activities. It educates people affected by PSC and potential donors about our work and further publicises the Awardholder’s research.
6.2 When you send us a message
When you send us a message or email us for information and support, to provide feedback, to make an enquiry or to complain, we may request your name, address, email address or phone number so that we can deal with and respond to your message or provide you with the information, products or services you have requested.
Some of the information you voluntarily provide is special category data relating to your health. Our lawful basis to process any special-category data in these circumstances is consent. In the case of email support, the act of emailing us would constitute your explicit consent for the purpose of processing this special category data.
Our lawful basis for the processing of non-special category data is our legitimate interest to provide you with a response and/or services as you would reasonably expect following your request for contact. In some cases, such as when you ask for a collection box, our lawful basis for processing your information is our legal obligation to maintain proper records.
You can email email@example.com to request that we do not reply and/or your personal information deleted our records. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent.
6.3 When you sign up for our email bulletins
When you sign up for our email bulletins, we may request your name, email address, country of residence and interest in PSC including health information.
Where you have specifically agreed, we use the information you provide to send to you general email bulletins or email bulletins that are relevant to your geographic region or interest in PSC.
We use anonymised data from our mailing list for providing statistics to support our charitable activities.
The lawful basis for sending you our email bulletins is consent. You can withdraw your consent at any time by unsubscribing yourself by clicking on the ‘unsubscribe’ links provided at the end of each news bulletin. Alternatively you can email firstname.lastname@example.org to request that you are unsubscribed and your personal information deleted from the mailing list. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent.
The lawful basis for processing your anonymised data is our legitimate interest to provide statistics to support our work in PSC advocacy, information and research. This supports the charitable activities of PSC Support to improve the lives of people affected by PSC. We only collect details of your interest in PSC with your specific permission at the time you provide it.
6.4 When you sign up for Liver Patients’ Transplant Consortium (LPTC) emails
When you sign up for LPTC emails, we may request your name, email address, and patient organisation affiliation. We use this information to send you emails on behalf of the LPTC. You can inform us at any time that you no longer require LPTC emails.
We use anonymised data from the LPTC mailing list to provide statistics (on behalf of the LPTC) to support the activities of the LPTC. Access to LPTC mailing list information is limited to volunteers and staff of PSC Support and the current elected Chair(s) of LPTC.
The lawful basis for processing this information is PSC Support’s legitimate interest to send you LPTC emails on behalf of the LPTC to further the joint goals of the partnership of LPTC members. You can unsubscribe at any time by unsubscribing yourself by clicking on the ‘unsubscribe’ links provided at the end of each LPTC email. Alternatively you can email LPTC@pscsupport.org.uk to request that you are unsubscribed and your personal information deleted from the LPTC mailing list.
6.5 When you make a donation or payment to us
When you use our website to make a donation or payment, you provide your card information or bank details to our third party payment processors, who specialise in the secure online capture and processing of online financial transactions. The third party payment processors send information about your donation to PSC Support. We have access to the information needed to prepare our accounting records and in some cases, provide confirmation of receipt of donation and thanks and/or process Gift Aid claims and we do not have access to any personal financial information such as credit card numbers or bank account details.
If you donate to us by BACS or direct transfer, the information received by us is only what the bank identifies, which is usually your name, amount and date donated, and a reference number.
The lawful basis for this processing is our legitimate interest to administer your payment or donation and our legal obligation to maintain adequate accounting records.
If you indicate that you would like us to claim Gift Aid with your donation, we will pass your name, address and donation details to HMRC for processing.
The lawful basis for processing your personal information for Gift Aid is our legal obligation to process and maintain Gift Aid records.
6.6 When you set up an online fundraising page
To enable you to collect sponsorship money and donations easily, PSC Support is registered with online fundraising platforms. The use of the personal information that you provide to these platforms is governed by their own privacy policies.
When you set up a fundraising page, each platform may give PSC Support access to details of your fundraising and your contact details. We may use the information they provide about you to get in touch with you about your fundraising, for example to thank you for your fundraising efforts and for administrative purposes.
The lawful basis for this processing is our legitimate interest to record and support your fundraising.
6.7 When you ‘Tell Us Your Story’ or take part in a survey
The information you provide when you respond to our ‘Tell Us Your Story’ feature may include you voluntarily providing special category personal data relating to your health and family life in addition to some biographical and contact information. Our lawful basis for processing non-special category personal data in these circumstances is our legitimate interest to collect, analyse and share survey data to help improve the lives of people affected by PSC, to influence policy and research and support our charitable activities.
The lawful basis upon which we rely to process any special category personal data is consent. You can decide if you want to remain anonymous or if you are happy to share your personal details. To help further our work, we may make some of the information (including photographs and video) you provide public when you specifically agree. This may include publishing it on our website, in social media, in presentations at conferences and meetings, in our news bulletins and in materials promoting our advocacy and fundraising work, or in documents such as our Annual Report.
If you take part in a survey, we will only collect personal information if it is necessary for the purposes of that survey, and always describe the purpose of each survey and how the information will be used at the time you take part.
Some of this includes special category personal data such as your age, whether or not you have PSC, have had a transplant or other procedures, where you live and your opinions on various PSC-related topics so that we can demonstrate that we are representing the views of particular groups of people. The survey results that we share are always anonymised unless you have given your explicit consent. We occasionally ask for your email address for the purposes that include following-up on the survey or offering a prize, and we will only ever use this only for the purpose stated.
Our lawful basis for processing personal information when you complete a survey is our legitimate interest to collect and analyse survey data to help improve the lives of people affected by PSC.
Where we collect and use sensitive personal information, your email address or photo in a survey, our lawful basis is your specific consent.
You can withdraw your consent at any time by emailing email@example.com. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent.
6.8 When you appear in a video recording
When you appear in a video we may make that recording available to the public with your specific consent for the purposes of raising awareness of our condition and issues that affect people with PSC. This may include publishing it on our website, on YouTube, in social media, in presentations at conferences and meetings, in our news bulletins and in materials promoting our advocacy and fundraising work, or in documents such as our Annual Report. We will also collect your contact details so that we can keep in touch with you about the recording.
We use your specific consent as our lawful basis for using a recording of you. You can withdraw your consent at any time by emailing firstname.lastname@example.org. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent.
6.9 When you buy or order something from us
PSC Support uses third party e-commerce services to sell products such as ‘eBay for Charity’. When you buy something from us via eBay, eBay provides us with details of your purchase and your contact details. We use your contact details to send you your purchase(s). We share your delivery address with the courier or postal service we use to send you the item. The lawful basis for this processing is performance of contract and we only use the information about you as has been agreed between us.
When you buy or order a product from our website, we collect details of your purchase and your contact details. We may collect financial information where you make a payment, such as bank details or credit/debit card details, although we don't store credit or debit card details (see section 6.5). We use your contact details to send you your purchase(s). We share your delivery address with the courier or postal service we use to send you the item. The lawful basis for this processing is performance of contract and we only use the information about you as has been agreed between us.
6.10 When you register for an event
When you register for an event we may ask you to provide your name, interest in PSC (health information), dietary requirements and other information relating to your attendance at the event.
The lawful basis for this processing is our legitimate interest to manage an event and we only ask you to provide the information necessary for us to organise and communicate with you about the event. We only use the information about you as you’d reasonably expect.
We use your specific consent as our lawful basis for processing your health information. You can withdraw your consent at any time by emailing email@example.com. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
6.11 When you use our message boards or a social networking site
If you contact us directly via social media, then we will use the personal information you reveal to us for the purposes of responding to your message. The lawful basis for doing this is our legitimate interest to respond to your message. If special category personal data (such as health data) is shared with us in this way, we use your consent as the lawful basis for processing this data. Getting in touch with us via social media would constitute your explicit consent for the purpose of this special category data.
6.12 When you use our website
When you use our website, we collect information about your use, including your IP address, how much time you spend on our site and what you like to view.
The lawful basis on which we process your personal information, strictly necessary for you to use to our website, is our legitimate interest in providing a website. For other cookies, we rely on your consent to provide you with the best possible communications and website we can. See PSC Support’s Cookie Declaration at https://www.pscsupport.org.uk/cookies/ for information on the cookies we use and to change or withdraw your consent to the cookies used at any time.
Links to other websites
6.13 When you call our helpline or book a helpline call
When you call our helpline we may collect your phone number when it automatically appears via our telephone software service. When you make an appointment for a helpline call, we will collect your name, email address, phone number and preferred date and time slot.
We do not use your phone number for any other purpose than receiving your call, returning your call if you explicitly ask us to call you back, and calling you at the appointed date/time if you have made a booking. If you book a helpline call, we use your email address for the purposes of communicating with you about your appointment. Examples of this email communication include:
- Confirming the date/time of the booked call
- A reminder the day before the booked call
- A reminder 1 hour before the booked call
- A follow-up email to ask for anonymous feedback about our service
- Sending you information you have requested during the call
During the call, we may make general notes about the content but do not store any identifiable data with those notes. This is to allow us to monitor the nature of the calls for the purposes of improving our service. Any identifiable data provided in relation to the helpline call is completely removed from our records within one month of that call.
If you contact our helpline, then we will use the personal information you reveal to us for the purposes of responding to your request for support and information. The lawful basis for doing this is our legitimate interest to respond to your helpline call. If special category personal data (such as health data) is shared with us in this way, we use your consent as the lawful basis for processing this data. Getting in touch with us via the helpline would constitute your explicit consent for the purpose of processing this special category data.
We may at times need to process your personal data in order to protect a life, for example, if we consider you or another person to be in immediate danger. The lawful basis for processing your data in this way is vital interests.
7. How long we retain information about you
We will keep your personal information only for as long as reasonably necessary to fulfil the purposes we collected it for or in accordance with our legal obligations.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
In cases where we rely on your consent as the lawful basis for processing, we may ask you to renew your consent periodically. If you ask us to stop contacting you, to stop processing your information or unsubscribe, we will keep a limited record of your contact information to ensure we comply with your request.
In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
In some circumstances you can ask us to delete your data.
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal information, we will promptly assess the risk to your rights and freedoms and if appropriate report this breach to the ICO (more information on the ICO website).
9. Changes to this policy