Thyroid UK takes your privacy seriously and is committed to safeguarding your privacy.
Our website may include links to third-party websites, plug-ins and applications. This policy does not cover these external websites. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
This privacy notice provides you with details of how Thyroid UK collects and processes your personal data.
Under the GDPR (General Data Protection Regulation) there are strict rules about processing data. GDPR has certain data protection principles setting out the main responsibilities for organisations – https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/principles/
Under GDPR organisations must have a valid “lawful basis” in order to process personal data – https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/ Thyroid UK uses different types of “lawful basis” for the different data it processes and explains which “lawful basis” is being used in this policy.
What is personal information?
Personal information includes any information, recorded or not, that can be used to distinguish, identify or contact a specific individual. This includes information in either paper or electronic form, such as:
- age, title, first name, last name, username, date of birth, gender, telephone numbers, billing address, delivery address, email address, phone number, ID numbers, income or ethnic origin
- opinions, evaluations, comments, social status, or disciplinary actions, credit records, loan records, medical records
Personal information does not include anonymised data.
What does processing personal data mean?
Processing of data means anything that is done to, or with, personal data such as collecting, storing or deleting those data.
Who is accountable?
Every trustee, staff member and volunteer of Thyroid UK is responsible for maintaining and protecting personal information under his/her control. The Chief Executive Officer (CEO) is considered the accountable individual responsible for all data protection matters. Trustees, staff and volunteers will be asked to sign an agreement concerning confidentiality at the time of their engagement.
If you have any questions about this privacy notice, please contact the CEO using the details set out below:
Name of CEO: Lyn Mynott
Email address: firstname.lastname@example.org
Postal address: Thyroid UK, 32 Darcy Road, St Osyth, Clacton on Sea, Essex, CO16 8QF
What personal data do we collect?
Thyroid UK may collect the following personal data for processing:
Identity Data – information volunteered by you by telephone and emails; on order forms, contact forms, membership forms, mailing list forms; participation in our events such as our conferences; our surveys; donations; competitions etc.
Financial Data – may include your bank account and payment card details.
Transaction Data – may include details about payments between us and other details of purchases made by you.
Technical Data – may include your login data, internet protocol addresses, browser type and version, browser plug-in types and versions, time zone setting and location, operating system and platform and other technology on the devices you use to access our website.
Profile Data – may include your username and password, purchases or orders, your photo, interests, preferences, feedback and survey responses.
Usage Data – may include information about how you use our website, products and services.
Marketing and Communications Data – may include your preferences in receiving marketing communications from us and our third parties and your communication preferences.
Your Contributions – includes any documents, audio or video recordings, photos, presentations or other materials that you contribute to, participate in, or give to us, along with associated identity and contact data.
Photographs at events – includes photographs of small groups (where we would ask for your consent) and photographs of people at events such as our conferences (where we would ask that you inform us if you do not wished to be in the photographs).
Listings – may include your name, title, address, email, telephone number, facsimile number, degrees, certifications, professional specialty and website link.
Credits – may include your name, contact details, professional specialty, presentations and links to your published papers.
Aggregated Data (information gathered and expressed in a summary form, for purposes such as statistical analysis) – we may also process aggregated data from your personal data but this data does not reveal your identity and as such in itself is not personal data. An example of this is where we review your usage data to work out the percentage of website users using a specific feature of our site in order to use this information to benefit our beneficiaries. If we link the aggregated data with your personal data so that you can be identified from it, then it is treated as personal data.
Sensitive Data – for certain uses, we need to process the following sensitive data about you in order to fulfil our mission. We do so under the lawful basis of “legitimate interest” and special condition (b):
“processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;”
- Health conditions
- Use of medication
- Past and current health status
- Other sensitive data you choose to reveal including pain, disability, mood, fatigue, sleep, diet, height, weight, physical activity, social activities, etc.
Where we are required to collect personal data by law, or under the terms of the contract between us and you do not provide us with that data when requested, we may not be able to perform the contract (for example, to deliver goods or services to you). If you don’t provide us with the requested data, we may have to cancel a product or service you have ordered but if we do, we will notify you at the time.
How do we collect your personal data?
We collect data about you through a variety of different methods including:
Direct interactions: You may provide data by filling in forms on our site (or otherwise) or by communicating with us by post, phone, email or otherwise, including when you:
- Subscribe to our publications
- Send us your thyroid story
- Register for or participate in an event
- Ask about thyroid disease and related conditions
- Contact us through our website
- Make a donation or a purchase, including our information pack, conference tickets, membership and sponsorship
- Request resources such as patient information leaflets, fundraising or marketing materials
- Apply to be a trustee or volunteer
- Participate in an interview, video, radio show or other recording
- Ask us to list your involvement with Thyroid UK on our website
By providing us with your data, you warrant to us that you are over 13 years of age.
We use the Paypal shopping basket facility for purchases through our website, which deposits a cookie to hold the contents of your basket. This cookie may not expire when you close your browser, unless you have specifically chosen to set your browser to automatically delete cookies on exit.
We also use the default configuration of Google Analytics, which do not store any information that can identify you personally. The data is only available once it has been aggregated.
Full details on the cookies set by Google Analytics can be found here: https://developers.google.com/analytics/resources/concepts/gaConceptsCookies#cookiesSet
Google also publishes a browser add-on which lets you choose not to allow information about your website visit to be given to Google Analytics.
Third parties or publicly available sources: We may receive personal data about you from various third parties and public sources as set out below:
- Technical data from analytics providers such as Google based outside the EU;
- Identity and contact data from publicly available sources such as Google based outside the EU;
- Contact, financial and transaction data from providers of technical, payment and delivery services such as PayPal based outside the EU;
- Identity, contact, profile and credits data from social networks including LinkedIn, Facebook, Twitter, and other public websites such as PubMed.gov, all based in the United States
How do we use your personal data?
Thyroid UK will only use your personal data when legally permitted. Set out below is a description of the ways we intend to use your personal data and the legal grounds on which we will process such data.
We may process your personal data for more than one lawful ground, depending on the specific purpose for which we are using your data. Please email us at email@example.com if you need details about the specific legal ground we are relying on to process your personal data.
The most common uses of your personal data are:
- Where we need to perform the contract between us:
- to fulfil your requests for information, products and services i.e. our Information Pack
- to send you our member magazine, Harmony including renewal communications and direct marketing that we think will be of interest to you
- Where you consent for us to do so:
- when you join our mailing lists for our E-news or news about fundraising
- when you create a login on our website
- when you voluntarily participate in an interview, video, radio show or other recording
- when you respond to a plea for copy letters i.e. to your MP
- when you write to us with a request for help or information or to send us some information and we need to respond to you
- when you request to be listed on our website or in our Information Pack i.e. list of private doctors and practitioners
- when you fill out a “Contact us” or “Test Results” form on our website and we need to respond to you
- when you email us with a request to volunteer and we need to respond to you
- when you ask us to list your details on our website or in our patient information
- when you send us a donation and we write to you thanking you
- Where it is necessary for our legitimate interests and your interests and fundamental rights do not override those interests (or those of a third party):
- to conduct research
- to further our charitable aims and objectives
- to send you communications about Thyroid UK that may help us in our campaigns to change the way thyroid disease is diagnosed and treated
- to make suggestions and recommendations to you about things that may be of interest to you
- to improve our services
- to help us understand more about how our website is used
- to ask you to complete a survey
- to enable you to take part in a competition
- to enable us to send you press releases (journalists etc)
You have the right to withdraw consent at any time. To unsubscribe from our E-news or from news about our fundraising use the unsubscribe link on any emails from us or email us at firstname.lastname@example.org to remove consent from any of the uses listed above.
Where you opt out of receiving our marketing communications, this will not apply to personal data provided to us as a result of:
- the purchase of a product, service, ticket, membership
- a donation
- any other financial transactions
- any other interaction with regulatory requirements for data retention
- Where we need to comply with a legal or regulatory obligation
- HMRC (Gift Aid)
- Companies House – Annual Report
- Charity Commission – Annual Report
Change of purpose
If we need to use your personal data for a purpose unrelated to the purpose for which we collected the data, we will notify you and we will explain the legal ground of processing and ask for your consent.
Will we disclose your information to third parties?
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.
We promise that Thyroid UK does not rent, sell or share personal information about you with other people other than with:
Authorised service providers – who perform certain services on our behalf such as Mailchimp and Dropbox. These services may include fulfilling orders, processing credit card payments, delivering packages, providing customer service and marketing assistance, performing business and sales analysis, supporting our website functionality, and supporting contests, sweepstakes, surveys and other features offered through our website.
These service providers may have access to personal information needed to perform their functions but are not permitted to share or use such information for any other purposes.
We require all third parties to whom we transfer your data to comply with GDPR and respect the security of your personal data and to treat it in accordance with the law. We only allow such third parties to process your personal data for specified purposes and in accordance with our instructions.
If any of our third parties service providers are based outside the EEA and therefore not required to adhere to the UK GDPR, we will do our best to ensure a similar degree of security of data.
If this is not possible, we may request your explicit consent to the specific transfer. You will have the right to withdraw this consent at any time.
Authorised medical professionals – if you give consent, so they may provide responses to questions and requests for consultation. These professionals may receive sensitive data if provided by you.
Authorised employees and volunteers – we limit access to personal information about you to employees and volunteers who we believe reasonably need to come into contact with that information to provide products or services to you in order to do their jobs. Our employees and volunteers all sign confidentiality and data protection agreements.
Professional advisers – including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
HM Revenue & Customs, the Charities Commission, Companies House and other regulators and other authorities based in the United Kingdom – and other relevant jurisdictions who require reporting of processing activities in certain circumstances.
How long do we retain your personal data?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
If you contact us by email, letter or telephone we will retain your information in case you contact us again and we need to refer to your previous communications.
Once paper information has been processed, it is scanned onto our system and the paper copy is shredded. Paper order forms are shredded once the order has been sent. Digital order forms are kept for two months and then deleted. If there has been no further communication for five years, all digital records are deleted from our system.
Test results are deleted as soon as they are sent to you. Correspondence regarding your test results is deleted after one month in case of any queries.
Gift Aid forms are kept for at least six years after the last donation, as per HMRC regulations. After this time, if Gift Aid forms are no longer valid, they are shredded.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
We regularly monitor which information needs to be deleted from our system.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes or for our annual report, website or our member magazine, Harmony, in which case we may use this information indefinitely without further notice to you.
What security precautions are in place to protect the loss, misuse or alteration of my information?
Unfortunately, communications such as emails, email links and email forms cannot be guaranteed to be 100% secure. Although we do our best to protect your personal information, Thyroid UK cannot guarantee security of any information you transmit to us, and you do so at your own risk. Once we receive your transmission, we make our best effort to ensure its security on our systems by having passwords on all our computers and databases.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed such as backing up our server, having up to date anti-virus, firewall or anti-malware software on our computers, locking filing cabinets and putting passwords onto our computers. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know such data. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. If your data is taken off site, it will be anonymised.
We have put in place procedures to deal with any suspected personal data breach and the CEO will notify you and any applicable regulator of a breach where we are legally required to do so.
What are your legal rights?
You have rights under data protection laws in relation to your personal data. These include the right to:
- Right to be informed about how and why we collect your data and what we use it for
- Request access to your personal data
- Request correction of your personal data
- Request erasure of your personal data
- Request restriction of processing your personal data
- Object to processing of your personal data (i.e. direct marketing)
Personal information shall be as accurate, complete and up-to-date as is necessary for the purposes for which it was intended. We will ensure this by contacting you regularly to enable you to update your details.
Upon request (Subject Access Request), you will be informed of the existence, use, and disclosure of your information, and shall be given access to that information. You will be able to challenge the accuracy and completeness of the information, and have it amended or removed as appropriate.
As a security measure we may need to request specific information from you to help us confirm your identity to ensure that personal data is not disclosed to any person who has no right to receive it. We will respond to your requests within one month.
You can see more about all of your rights here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/
You will not be charged a fee to exercise any of these rights. If you wish to exercise any of the rights set out above, please email us at email@example.com
What if I want to update, correct or delete my personally identifiable information?
It is very important to Thyroid UK that your personal information is correct. If your details change or you believe that any of the other information we hold is inaccurate or out of date or you wish your details to be deleted from our systems, please contact us:
In writing: 32 Darcy Road, St Osyth, Clacton on Sea, Essex CO16 8Q
By telephone: 01255 820407
By email: firstname.lastname@example.org
Openness and transparency
Thyroid UK will make this policy readily available to individuals.
What are my choices regarding collection, use and distribution of my information?
Thyroid UK gives you a choice on all of our relevant forms as to whether or not you are interested in receiving further communications from us.
If you have any questions or suggestions please contact us at email@example.com
What do I do if I have a complaint?
If you are not happy with any aspect of how we collect and use your data, you can make a complaint to the CEO, being the designated individual accountable for Thyroid UK’s compliance.
You have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues – www.ico.org.uk. We would be grateful, however, if you would contact us first if you do have a complaint so that we can try to resolve it for you.
Thyroid UK is registered with the Fundraising Regulator and adheres to the Code of Fundraising Practice – http://www.fundraisingregulator.org.uk/
Thyroid UK is committed to the Fundraising Promise – https://www.fundraisingregulator.org.uk/code/fundraising-promise
Thyroid UK is registered for data protection with the Information Commissioner’s Office – Registration Number: Z1746073