Privacy Notice
Spencer Dayman Meningitis Research has a responsibility to document how we protect your personal data. This is a legal requirement within the Data Protection Act (2018) and the UK GDPR under the ‘Right to be informed’. This privacy notice will outline our responsibilities to you. This notice was last reviewed and updated by our Data Protection Officer in June 2023.
1.0 Key Terms
1.1 Whilst every effort has been made to outline our responsibilities to you in as clear, concise, and easy to understand manner as possible, we do need to use certain terms throughout this privacy notice.
1.2 We will now provide an easy-to-understand definition of each term:
- Charity: This refers to Spencer Dayman Meningitis Research;
- Data Controller: A data controller has the responsibility of deciding how personal data is processed, the purpose for the data processing, and how to protect the personal data from harm;
- Data Processor: In a similar way to data controllers, data processors must protect people’s personal data. However, they only process it in the first place on behalf of the data controller. They would not have any reason to have the personal data if the data controller had not asked them to do something with it;
- Data Protection Act (DPA 2018): The DPA 2018 sets out the legal data protection framework in the UK, alongside the UK GDPR. It contains three separate data protection regimes:
- Part 2: sets out a general processing regime (the UK GDPR);
- Part 3: sets out a separate regime for law enforcement authorities; and
- Part 4: sets out a separate regime for the three intelligence services.
- Data Subject: A data subject is a living person who can be identified from personal data;
- GDPR: This stands for General Data Protection Regulation (GDPR), the EU’s and the UK’s agreed standards for data protection that are also written into UK law through the Data Protection Act 2018 (DPA 2018);
- Individual Rights: In UK data protection law, individuals have rights over their personal data. These rights allow the individual to ask the data controller to do something, or stop doing something with their personal data. There are eight individual rights;
- Information Commissioner’s Office (ICO): The Information Commissioner’s Office (ICO) is the UK’s independent body set up to uphold information rights, covering laws including the Data Protection Act (DPA 2018), Freedom of Information Act (2000), Privacy and Electronic Communications Regulations 2003 (PECR), and UK GDPR;
- Lawful Basis: A lawful basis is the legal reason or legal grounds relied upon for the processing of an individual’s personal data. There are six lawful bases to choose from: consent, contract, legal obligation, legitimate interest, public task, and vital interests;
- Personal Data: Personal data is information about who you are, where you live, what you do, and more. It is all information that identifies you as a data subject;
- Privacy and Electronic Communications Regulations 2003 (PECR): PECR sits alongside the DPA 2018 and the UK GDPR. This legislation gives people specific privacy rights in relation to electronic communications, and electronic processing of their personal data;
- Processing: Processing means taking any action with someone’s personal data, including storing that data, and archiving personal data;
- Spencer Dayman Meningitis Research: The data controller, who has responsibilities for processing under the Data Protection Act (2018), UK GDPR, and other relevant UK privacy legislation.
- Trustees: Data Controllers of Spencer Dayman Meningitis Research, who set the purposes for processing.
2.0 Scope
2.1 The scope for Spencer Dayman Meningitis Research is any data subject, whose personal data is processed upon instruction, in line with UK privacy legislation including the Data Protection Act (DPA 2018), Privacy and Electronic Communications Regulations 2003 (PECR), and UK GDPR.
2.2 We also acknowledge any additional responsibilities requested by the Charity Commission for England and Wales, alongside the privacy regulator in the UK, the Information Commissioner’s Office (ICO).
2.3 The DPA 2018 and UK GDPR have a material scope covering personal data that is processed either electronically or is processed as part of a physical paper filing system.
2.4 Spencer Dayman Meningitis Research will adhere to the seven UK GDPR data processing principles when handling personal data:
- Lawfulness, Fairness, and Transparency;
- Purpose Limitation;
- Data Minimisation;
- Accuracy;
- Storage Limitation;
- Integrity and Confidentiality (Security);
- Accountability.
2.5 All trustees of Spencer Dayman Meningitis Research who interact with data subjects are responsible for ensuring that this privacy notice is drawn to their attention, at the earliest available opportunity.
3.0 Lawfulness
3.1 Spencer Dayman Meningitis Research is a charity based in England, under charity number 1202202, complying with the laws of England and Wales.
3.2 Spencer Dayman Meningitis Research is registered with the ICO under registration number ZB544504.
3.3 Spencer Dayman Meningitis Research acts as a data controller and data processor. We are responsible for the personal data that we process (on behalf data subjects), whilst having our own accountability measures in place for ensuring compliance with our UK GDPR data controller responsibilities.
3.4 Spencer Dayman Meningitis Research processes is a charity that operates across the UK. It funds research to advance the education of the public in general (and particularly amongst scientists) in the prevention and treatment of meningitis and other associated diseases. It also relieves the needs of those affected by meningitis and other associated diseases through awareness and peer support. Spencer Dayman Meningitis Research also determines the scope of data processing, what data we process, and for what purpose.
3.5 From time to time we may appoint data processors on behalf of Spencer Dayman Meningitis Research. There will always be a written agreement is in place with each of our data processors documenting how personal data will be processed, the purposes for processing, how the personal data is safeguarded, and how long it will be retained for. Spencer Dayman Meningitis Research has the overall responsibility for all data processors.
3.6 Spencer Dayman Meningitis Research has a duty of care acting as a data controller to appoint a Data Protection Officer (DPO). We have a legal obligation to notify the ICO of their name and contact details. Our appointed Data Protection Officer (DPO) is CSRB Limited. CSRB can be contacted by telephone on 0117 325 0830 or via email at dpo@csrb.co.uk.
3.7 Spencer Dayman Meningitis Research uses lawful bases, as set out in UK GDPR Article 6, when we process your personal data:
- Contract – personal data is processed by us for the purposes of managing a donor or volunteers engagement with the charity as an example, through the implementation of a contract;
- Consent – the charity gives data subjects a clear choice with regard to the processing of their personal details for a specific purpose and the data subject then gives their clear consent for the charity to go ahead with the processing. Consent must be freely given, specific, informed, and unambiguous. Data subjects will consent via a clear affirmative action. For example, donors providing consent to be entered into a prize draw;
- Legal Obligation – there will be circumstances where we are legally obliged to conduct certain activities, which will involve processing personal data. This could be to comply with common law or to undertake a statutory obligation. For example, we may need to check a trustees right to work in the UK, as this is a legal obligation;
- Legitimate Interests – the charity must balance the organisations interests against the interests, rights and, freedoms of individuals. For example we would communicate with data subjects regarding important charity information, and to inform data subjects of relevant developments the charity is involved, using legitimate interest as our lawful base for this communication.
3.8 Spencer Dayman Meningitis Research may process certain special category data on behalf of our data subjects. This may include the following categories of personal data:
- personal data revealing racial or ethnic origin;
- personal data revealing political opinions;
- personal data revealing religious or philosophical beliefs;
- personal data revealing trade union membership;
- genetic data;
- biometric data (where used for identification purposes);
- data concerning health;
- data concerning a person’s sex life; and
- data concerning a person’s sexual orientation.
3.9 Spencer Dayman Meningitis Research ensures that all processing of the above special category data is lawful, fair, transparent, and complies with all the data processing principles of the UK GDPR.
3.10 Spencer Dayman Meningitis Research can only process special category data if we can meet one of the specific conditions in Article 9 of the UK GDPR. We may also have to meet additional conditions set out in Part 1 of Schedule 1 in the DPA 2018.
The Article 9 conditions used by the charity are:
- Explicit consent – we outline our requirements for the data processing to data subjects and record freely given, specific, informed, and unambiguous consent given by an affirmative action;
- Employment, social security and social protection – This condition is met by the charity if:
- (a)the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the data controller or the data subject in connection with employment, social security or social protection, and
- (b)when the processing is carried out, the data controller has an appropriate policy document in place, for example a data processing agreement.
- Health or social care (with a basis in law) – This condition is met if the data processing is necessary for health or social care purposes. In this paragraph “health or social care purposes” means the purposes of—
- (a)preventive or occupational medicine,
- (b)the assessment of the working capacity of an employee,
- (c)medical diagnosis,
- (d)the provision of health care or treatment,
- (e)the provision of social care, or
- (f)the management of health care systems or services or social care systems or services.
- Vital Interests – processing of special category data is required to share personal data in emergency situations, to protect a data subjects life. A trustee collapses at the charity, is unable to talk, and we need to communicate with a paramedic that they have a medical condition.
3.11 Spencer Dayman Meningitis Research may transfer personal data we collect about you to countries outside the UK. We treat each international data transfer individually and assess the risk associated with the transfer and whether a suitable level of adequacy with UK data privacy legislation is available, within the country to where the personal data is being transferred.
3.12 Data transfers within the EEA/EU/UK flow freely under the ‘Adequacy Decision’ agreed between the UK and European Parliament on 27 June 2021. If the international data transfer is outside the EU/EEA/UK then risk assessment criteria and appropriate safeguards would be put in place, such as Data Protection Impact Assessments (DPIAs). We would then seek the explicit consent of the data subject.
4.0 Fairness
4.1 Spencer Dayman Meningitis Research processes personal data in a fair way. We do this by putting the individual’s rights at the heart of all processing with regards to personal data. There are eight individual rights:
- Right to be informed – data subjects have the right to know why we are collecting and processing personal data, this right is met by the provision of this privacy notice and any subsequent privacy documentation;
- Right of access – you have the right to know what personal data we have on record and request a copy;
- Right of rectification – you have the right to correct personal data that we hold about you that is inaccurate or incomplete;
- Right to be forgotten – in certain circumstances you can ask for the personal data we hold about you to be erased from our records;
- Right to restriction of processing – where certain conditions apply you have a right to ask us to only process your personal data for certain processing activities;
- Right of portability – you have the right to have the personal data we hold about you transferred to another data controller;
- Right to object – you have the right to object to certain types of data processing such as marketing;
- Right to object to automated processing, including profiling – you also have the right to object to the legal effects of automated processing or profiling.
4.2 Spencer Dayman Meningitis Research will only handle personal data in ways that individuals would reasonably expect and not use it in ways that have unjustified adverse effects on them.
4.3 Spencer Dayman Meningitis Research will obtain personal data in a fair way. We will seek explicit consent from the data subject or securely transfer personal data into the organisation where explicit consent has been given and recorded previously.
4.4 Spencer Dayman Meningitis Research always considers the rights and freedoms of data subjects when processing personal data. This could be for individuals or those part of a wider group.
4.5 Spencer Dayman Meningitis Research will have a written agreement with each data subject setting out the terms for data processing.
5.0 Transparency
5.1 Transparency is fundamentally linked to fairness. Spencer Dayman Meningitis Research will always be clear, open, and honest with individuals from the start, about who we are, and how, and why we need to use your personal data.
5.2 Spencer Dayman Meningitis Research will inform individuals from the outset regarding the types of personal data we need to process, usually within our charity terms, contract documentation, this privacy notice, and other privacy documentation.
5.3 Spencer Dayman Meningitis Research processes the following personal data types:
- Contact Data (e.g., email address, telephone number, social media account details);
- Location Data (e.g., address, IP address);
- Payment Data (e.g. to meet our PCI compliance requirements)
- Security Data (e.g., passwords and usernames for secure account access);
- Special Category Data (as outlined in paragraph 3.8 above).
5.4 Spencer Dayman Meningitis Research informs individuals about all personal data processing in a way that is easily accessible and easy to understand, using clear, and plain language. We do this ensuring all Spencer Dayman Meningitis Research’s trustees receive annual data protection and UK GDPR training, whilst having a company information governance framework with up-to-date policies, procedures, and processes.
5.5 Spencer Dayman Meningitis Research hope we can resolve any query or concern you raise about our use of your personal data. You can contact Spencer Dayman Meningitis Research in the first instance at any time by telephone on 01454 417975 or via email at SteveDayman@SpencerDaymanMeningitisResearch.org.
5.6 Spencer Dayman Meningitis Research has appointed a certified Data Protection Officer (DPO) to act in the interests of all parties. Should you require further information with regards to personal data processing and the protection of your personal data, please contact our nominated DPO at CSRB Limited. They can be contacted by telephone on 0117 325 0830 or via email at dpo@csrb.co.uk.
5.7 Should we not be able to resolve the complaint, you have the right to lodge a complaint with the lead authority. The lead authority in the UK is the Information Commissioner’s Office (ICO), who may be contacted by telephone on 0303 123 1113 or by visiting www.ico.org.uk.
6.0 Purpose Limitation
6.1 Spencer Dayman Meningitis Research will always be clear about what the purpose is for any personal data processing from the very start. We process your personal data for the following purposes:
Purpose for data processing | Legal Base |
Manage donations to the charity | Contract, Legal Obligation |
Signing up to our charity newsletter | Consent |
Entering prize draws | Consent |
Communicating with you about charity news and updates | Consent, Legitimate Interest |
Any contractual agreements between the charity and data subjects | Contract, Legal Obligation |
Notifying you of fundraising appeals and upcoming events | Consent, Legitimate Interest |
To maintain the internal processes and systems of the charity | Contract, Legal Obligation |
6.2 Spencer Dayman Meningitis Research will record our purposes for personal data processing as part of our legal reporting obligations. We will also document them in any additional privacy documentation provided.
6.3 Spencer Dayman Meningitis Research will only use personal data for a new purpose if this is either compatible with the original purpose, or we obtain consent, or we have a clear obligation, or function set out in law.
6.4 Spencer Dayman Meningitis Research may need to disclose your personal data to the parties listed below. This is so that we are able to provide our services to you. We will not disclose your personal data to any other third party. Where this is required, the College ensures that the data recipient adheres to adequate data protection requirements. Such instances could include:
- Approved service providers (such as event organisers, caterers, travel, other service providers);
- Sponsors and donors;
- Fraud prevention agencies, money laundering agencies, and other professional associations; and
- Regulators and law enforcement agencies, including the Police, HM Revenue and Customs, or any other relevant authority who may have jurisdiction.
6.5 Spencer Dayman Meningitis Research will share personal data with law enforcement or other authorities, as detailed above in 6.4, if required by law.
7.0 Data Minimisation
7.1 Spencer Dayman Meningitis Research always ensures the personal data we are processing is:
- Adequate – sufficient to properly fulfil our stated purpose;
- Relevant – has a rational link to that purpose; and is;
- Limited to what is necessary – we do not hold more than we need for that purpose.
The UK GDPR does not define these terms. As this is the case, Spencer Dayman Meningitis Research accepts these terms may have a differing definition from one individual to the other, as the processing will depend on the specified purpose for collecting and using the personal data.
7.2 In order to assess whether we are holding the right amount of personal data, we demonstrate clearly why we need it, before any data processing activities take place.
7.3 For special category data or criminal offence data, we understand the importance of collecting and retaining only the minimum amount of information.
7.4 Spencer Dayman Meningitis Research undertakes an annual data protection audit with an external certified data protection service provider, to review our personal data processing, and to check that the personal data we hold is still relevant and adequate for the stated purposes.
8.0 Accuracy
8.1 Spencer Dayman Meningitis Research will take all reasonable steps to ensure the personal data we hold is accurate and up to date.
8.2 Spencer Dayman Meningitis Research will take reasonable steps to ensure that personal data we hold is not incorrect. This may involve contacting you via our official communication channels, to ensure all personal data held is accurate.
8.3 Spencer Dayman Meningitis Research will always record the source of where personal data came from and ensure the source is compliant with UK privacy laws, including the UK GDPR.
8.4 If we need to keep a record of a mistake, we clearly identify it as a mistake, and add this to our records of processing for audit purposes, and continuous improvement.
8.5 All of Spencer Dayman Meningitis Research’s records clearly identify any matters of opinion, and where appropriate whose opinion it is, and any relevant changes to the underlying facts.
8.6 Spencer Dayman Meningitis Research will comply with the individual’s right to rectification, and carefully consider any challenges to the accuracy of the personal data.
8.7 As a matter of good practice, we keep records of processing of any challenges to the accuracy of the personal data.
9.0 Storage Limitation and Deletion
9.1 Spencer Dayman Meningitis Research will not keep personal data for any longer than is necessary to fulfil the original stated purpose for the processing of such personal data.
9.2 Spencer Dayman Meningitis Research will only keep personal data for the period outlined to meet the requirements of the contract, legal obligation, or legitimate interest identified.
9.3 Any retention of personal data will be carried out in compliance with legal, professional body, and regulatory obligations. These data retention periods are subject to change, due to any revisions of associated legislation, regulations, or requirements.
9.4 Spencer Dayman Meningitis Research acknowledges that UK privacy legislation does not determine how long personal data needs to be kept. This is up to the data controller to determine and document accordingly at the earliest possible opportunity.
9.5 Spencer Dayman Meningitis Research has a personal data retention and deletion policy in place, which documents the types of record or information we hold, what we use it for, and how long we intend to keep it.
9.6 Spencer Dayman Meningitis Research periodically reviews the personal data we hold, and erases or anonymises it, when we no longer need to process it for the original purpose.
9.7 Spencer Dayman Meningitis Research also considers any challenges to the retention of personal data. We understand that individuals have a right to erasure if we no longer need the personal data.
9.8 Spencer Dayman Meningitis Research acknowledges there are exceptions to retention periods. Here we can keep personal data for longer if we are only keeping it for public interest archiving, scientific, or historical research, or statistical purposes. We would always inform you if this was the case, along with our lawful basis for retention.
9.9 When Spencer Dayman Meningitis Research is provided with an instruction to destroy data it must be destroyed irretrievably either in paper or electronic formats. Paper records will be destroyed by an approved contractor who can provide evidence of destruction and a certificate of destruction. Spencer Dayman Meningitis Research will retain this certificate.
9.10 Spencer Dayman Meningitis Research also has secure destruction procedures and processes for any of the devices it has used for the storage of personal data. Spencer Dayman Meningitis Research will retain evidence of any equipment destruction and confirms that the destruction is beyond any prospect of retrieving data stored within the device.
10.0 Data Transfer and Confidentiality (Security)
10.1 Spencer Dayman Meningitis Research will undertake an analysis of the risks presented by our personal data processing and use this to assess the appropriate level of security we need to put in place. We review our Business Continuity Plan (BCP) annually.
10.2 We have an information security policy and take steps to make sure the policy is implemented. For example, we undertake an annual information security review with an accredited external provider. We make sure that we regularly review our information security policies and measures and, where necessary, improve them.
10.3 Spencer Dayman Meningitis Research make sure that we can restore access to personal data in the event of any incidents, such as by establishing an appropriate backup process.
10.4 Spencer Dayman Meningitis Research conduct regular testing and reviews of our measures to ensure they remain effective, and act upon the results of those tests where they highlight areas for improvement.
10.5 Where appropriate, we implement measures that adhere to an approved code of conduct or certification mechanism, such as Cyber Essentials certification, and additional quality standards.
10.6 We ensure that any data processor we use also implements appropriate technical and organisational measures.
10.7 Spencer Dayman Meningitis Research does not use tracking cookies on our website to track user behaviour and/or improve site experience. The UK GDPR and PECR interprets data collected by cookies as personal. It prohibits the collection of personal data without consent, which means a website is only allowed to collect information that the user voluntarily inputs. This includes name, email address, phone number, or any other information that the user shares with the website. The cookie consent must be freely given, specific, informed, and unambiguous.
11.0 Accountability
11.1 Accountability is one of the UK GDPR data processing principles. Spencer Dayman Meningitis Research takes our responsibility for complying with the UK GDPR very seriously, as documented by this privacy notice.
11.2 Spencer Dayman Meningitis Research has put in place several measures that we can, and in some cases must take, including:
- adopting and implementing data protection policies and procedures;
- taking a ‘data protection by design and default’ approach;
- putting written contracts in place with those whose personal data we control and process;
- maintaining documentation of our processing activities;
- implementing appropriate security measures;
- recording and, where necessary, reporting personal data breaches;
- carrying out data protection impact assessments for uses of personal data that are likely to result in high risk to individual’s interests;
- ensuring Spencer Dayman Meningitis Research trustees receive annual UK GDPR and privacy legislation training;
- appointing a data protection officer;
- undertaking annual data protection and information governance audits; and
- adhering to relevant codes of conduct and signing up to certification schemes (where applicable).
11.3 Spencer Dayman Meningitis Research understand that accountability obligations are ongoing. We review and, where necessary, update the measures we have put in place. For example, we continually enhance our privacy management framework, as this can help embed our accountability measures and create a culture of privacy across our organisation.
11.4 Spencer Dayman Meningitis Research understand that being accountable can help build trust with individuals and may help mitigate any gaps in compliance, and thus any potential regulatory enforcement action.
11.5 If you have any questions or concerns about how we process and protect your personal data not covered in this privacy notice please contact Spencer Dayman Meningitis Research by telephone on 01454 417975 or via email at SteveDayman@SpencerDaymanMeningitisResearch.org.
Data last reviewed: June 2023
Approved by: Dr Steve Dayman MBE, Founder & Trustee
Reviewed by: Chris Burn, Data Protection Officer