If you don’t have time to read the whole policy now, this introductory Privacy Notice is a brief summary of the policy.
In carrying out our day-to-day activities we process and store personal information relating to our supporters and we adhere to the requirements of the UK Data Protection Act (DPA) 1998 and, on implementation, the General Data Protection Regulations (GDPR) 2018.
- ‘Processing data’ means obtaining, recording or holding information, or carrying out an action such as organising, disclosing or destroying the information.
- ‘Direct marketing’ means the communication of any advertising or marketing material which is directed to particular individuals.
- ‘Administration’ means the processing of data which excludes any element of direct marketing. Examples include: sending a thank-you letter to acknowledge a donation; sending race details to race participants; sending out materials requested for fundraising purposes; sending out advance-notification letters for direct-debit purposes; providing fundraising support for those who have opted to fundraise for Tommy’s.
The type of communications and information you receive about our charity and the ways in which you can get involved are your choice. You can change your mind at any time, or ask to see the information we hold about you, by contacting the Data Controller: Tommy’s, Nicholas House, 3 Laurence Pountney Hill, London, EC4R 0BB, or by phone on 0207 398 3461 or via email at [email protected].
- We collect information about:
- Visitors to our websites and owned social-media channels (eg Tommy’s Facebook page, Twitter and Instagram)
- Our supporters (including our past and present donors, event participants, individuals giving non-financial assistance), prospective supporters, partners and beneficiaries and members of the public who make contact with us, including those who share their personal stories with us
- Complainants and other individuals in relation to a data protection or freedom of information complaint or enquiry.
- We collect:
- Personal data. Examples are names, dates of birth, email addresses and postal addresses. For more examples please see Paragraph 4 of the full policy. We also collect Internet Protocol (IP) addresses: this is information a computer uses to identify a networked computer to which it transmits
- Non-personal data. An example is the web pages accessed on a computer: we collect this information so that we can show users the articles they have recently read, and improve their user experience.
- We collect information that we need to, or that we believe would be useful to provide our services, products and information (see Paragraph 6). These purposes comprise:
- Fundraising for Tommy’s
- Fulfilling Tommy’s legal obligations
- Marketing – this includes prospect research (see Paragraph 14)
- Supplying pregnancy information.
- We seek your consent if consent is necessary. To assess whether consent is necessary we carry out a balancing exercise between your rights and expectations, and our legitimate interests to carry out the data processing activity, consistent with the law.
- We will never sell your data to any individual or organisation.
- We will only pass on your information:
- If we are legally required to do so, or
- To a third party which is acting on our behalf to fulfil a service that we provide (see Paragraph 9).
- We keep the information we hold about you accurate and up-to-date so far as we are able.
- We do not routinely collect dates of birth for supporters. However, if we believe a supporter or donor may be under the age of 16 we take all reasonable care to establish whether their contact with us is made under the supervision of a teacher, parent or guardian.
- Younger children only participate in our events and fundraising activities in the presence of, or under the guidance of, a parent or guardian. If a parent or guardian chooses to give us the name of a child involved in a fundraising activity, we add the child’s name to our database and we share the name with one of our data processors (Orbital) so that they can produce a personalised certificate for the child, on behalf of Tommy’s (see Paragraph 9).
- We follow the Code of Fundraising Practice for the UK, issued by the Fundraising Regulator, to ensure that we treat all donors, including vulnerable donors, fairly.
- If you ask us to remove your personal information from our records, we will retain your key details – ie your name, home address and email address – on a suppression list to make sure that we do not contact you again, and we will destroy all other information we hold about you. (If we were to remove your details completely we would have no record of your wishes, and therefore someone from Tommy’s might inadvertently contact you again.)
- We use a secure server for all areas of our website which collect personal information.
- We review and update our application of this policy at least every four years.
Tommy's exists to save babies' lives. We fund research into the causes and prevention of pregnancy complications that lead to miscarriage, stillbirth and premature birth. We also provide pregnancy health information for parents-to-be.
Tommy’s is registered as a charity in England and Wales (registered charity number 1060508), and in Scotland (registered charity number SC039280). We are also registered as a company limited by guarantee (company number 3266897).
We also have two wholly owned subsidiary companies of Tommy’s. These are:
- The Baby Fund Trading Limited (registered company in England and Wales number 2557706) to record our activity classed as trading for example the selling of sponsorship rights, and
- LLHM Limited (registered company in England and Wales number 10584979) to manage our event-driven activity, specifically the London Landmarks Half-Marathon.
Within the context of this policy, ‘we’ means both the charity and its subsidiaries.
In carrying out our day-to-day activities we process and store personal information relating to our supporters and we adhere to the requirements of the UK Data Protection Act (DPA) 1998 and, on implementation, the General Data Protection Regulations (GDPR) 2018.
We take our responsibilities under data protection regulation seriously and we ensure the personal information we obtain is held, used, transferred and otherwise processed in accordance with those regulations and all other applicable data protection laws and regulations including, but not limited to, the Privacy and Electronic Communication Regulations.
Personal data is information that can be used to identify an individual, such as name, address, phone number or email address.
Personal information is information that can be used to identify you. It may include your:
- Date of birth
- Email address
- Postal address
- Bank account details
- Job title and employer
- Mobile and landline telephone numbers
- Marital status
- Pregnancy experiences (including pregnancy loss) if you share these with us, and
- The reason you give us for supporting Tommy’s.
It may also include:
- Details of any opt-in and opt-out preferences you have communicated to us
- Whether or not you are a UK tax-payer (so that we know whether or not we can claim Gift Aid)
- Details of any gifts you have given to Tommy’s
- Details of any Tommy’s events you have participated in
- Notes relating to our relationship with you. Examples of this could be:
- Correspondence between you and Tommy’s
- Connections between you and other individuals or organisations known to Tommy’s, and
- Data gathered through prospect research (see Paragraph 14).
These lists are not comprehensive, but they are intended to give an indication of the sort of information we collect.
We collect this personal information about you when you ask about our activities, register with us (for example, registering on an app, or sign up to receive pregnancy information), make a donation to us, register for an event, engage with our social media or message boards, order products and services (such as publications and email newsletters), otherwise give us personal information, or become known to us as someone who might consider connecting with Tommy’s in some way.
If you do nothing other than read pages or download information from our website, we may gather information about this use, such as which pages are most visited and which events or activities are of most interest. This information can be used to help us improve our website and services and ensure we provide you with the best service. The information we use for this purpose is aggregated or anonymised, ie it will not identify you as an individual visitor to our website. More information can be found in Paragraph 16.
In recording this information, we apply all the usual data protection principles outlined in this policy, so people sharing this information can feel confident that this information will not be used or stored inappropriately, and they retain the right to access this information or to request its removal at any time.
If you use your credit or debit card to donate to us, buy something or pay online or over the phone, we will ensure that we manage this securely and in accordance with the Payment Card Industry Data Security Standard.
If you are a direct-debit donor, access to your bank details is restricted so that only the team that processes details can access it. Your bank details will be deleted if and when you cancel your direct debit 12 months after cancellation – to enable the charity to resolve any queries or disputes that may arise in relation to a direct debit claim. We do not store your credit or debit card details at all following the completion of your transaction: all card details and validation codes are securely destroyed once the payment or donation has been processed. Only those staff authorised to process payments will be able to see your card details. If we receive an email containing any credit or debit card details the email will be immediately deleted, no payment will be taken and you will be notified about this.
We do not store your financial information for longer than we need to.
Sensitive data, as defined by the GDPR, comprises:
- Physical or mental health or condition
- Sexual life
- Racial or ethnic origin
- Political opinions
- Religious or similar beliefs
- Trade union membership
- The commission or alleged commission by the data subject of any offence, or any proceedings for any offence that are ongoing.
We collect sensitive personal data about our supporters only if there is a clear reason for doing so. For example:
- Where Tommy’s acts as Race Organiser we collect information about any disability you may have if you are planning to participate. We pass this information on to our Event Management Company and the Event Medical Director, to ensure we provide appropriate support to enable you to participate.
- We collect sensitive personal data in the form of information about supporters’ pregnancy losses and live babies. We use this data on individuals’ personal experiences to ensure we provide a sensitive, caring and personalised supporter experience to them. Supporters appreciate it when we remember the name of their stillborn child, and we could cause distress if we did not remember that they had lost a baby.
These are examples of how we may collect and use your personal information:
- In the provision of services, products or information you have requested. For example:
- The processing of any donation(s) we may receive from you
- To ask you to help us raise money, donate money to our charity or provide non-financial assistance (but always in accordance with your marketing preferences)
- The provision of information about our work or our activities, that you have asked to receive
- To send you items you have requested by telephone or via our website
- To analyse and improve the services we offer.
- For administration purposes. For example:
- We may contact you about a donation you have made or an event you have expressed an interest in or registered for
- We may send you information about a race or other event you are a participant in
- For internal record-keeping, such as the management of feedback or complaints
- To record website traffic or to personalise the way our information is presented to you.
- For legal purposes. For example:
- Where the processing is required or authorised by law
- For the purposes of credit risk reduction or fraud prevention (regrettably some people target charities for illegal purposes such as money laundering, and we are therefore required to monitor financial activity and report suspected fraud to the appropriate authorities).
- For marketing purposes. For example:
- We may supplement or add to the information we hold about you with information that is available through, or we receive from, other sources, eg public registers, or third-party information services. This allows us to send you the most relevant information and promote those fundraising opportunities that we believe you are most likely to be interested in.
- We may contact you by mail, email, phone, text or social messaging; in some cases, this will require getting your consent.
- If you share a personal story with us via our website or social media channels we may invite you to consent to future communications from us and to sharing your story more widely. Sometimes Tommy’s is invited by journalists to contribute to news stories relating to our cause, and in this situation we may invite you to participate or to allow us to use your story for these purposes.
- We may use the information for prospect research purposes. Prospect research means gathering and reviewing freely given, publicly available data (from sources such as news articles, Charity Commission, Companies House) to identify individuals and organisations who may have the capacity and inclination to give a major gift to Tommy’s. Gathering such data helps us to approach potential donors in the right way, and avoid excessive and inappropriate approaches. See Paragraph 14.
- For fundraising purposes. For example, if you are a fundraiser:
- We advise you on setting up a fundraising page
- We offer you fundraising materials to help you with your fundraising
- We advise you on the best ways to fundraise
- We make you aware of your obligations, where Tommy’s has purchased your fundraising place.
We do not need your consent to process your data for legal purposes or for many administrative purposes, but in some cases we do need your consent to use your data for data processing, including direct-marketing purposes (see Paragraph 7).
If you have asked us not to use your information for marketing purposes we will retain your name, home address and email address on a suppression list to ensure we do not continue to contact you.
For some data processing activities we may need your consent before we can contact you. We carry out a balancing exercise to assess whether or not we need your expressed consent to conduct our activities. To do this, we consider both the content of the personal data that we collect and the way in which we wish to use that data.
- In some cases our balancing exercise concludes that opt-in consent is required, for example for most direct-marketing activities. Where consent is required we ensure that no direct marketing takes place unless you have ‘opted in’.
For example we may wish to contact a donor who has given to Tommy’s in the past to ask them for further support, because people who have previously given are statistically more likely to support the same charity again, and this will help us to increase our funds raised. Our balancing exercise shows that:
- We may contact such a supporter by post without seeking express consent, so long as the number of letters is proportionate to how recently the donor gave to Tommy’s (for example a donor who gave to us five years ago would not expect to receive more than one letter a year).
- But the donor’s right to privacy and reasonable expectations over-ride Tommy’s interest in continuing contact with them by telephone or by email, and we would not therefore make any contact by these means without express consent.
- In other cases our balancing exercise concludes that opt-in consent is not required for us to process the data, because we have a legitimate interest in processing the data that is not overridden by the individual’s rights and interests.
For example, if we receive information about a new donor who wants to make monthly donations we will add the donor’s details to our database and use this information to issue BACS instructions to the bank. We do this in order to claim the regular gift that the donor wishes to make.
Our balancing exercise shows that Tommy’s has a legitimate interest in processing the donor’s data, in order to facilitate the regular payments the donor wants to make. This legitimate interest is not over-ridden by the individual’s rights and interests.
On all our fundraising forms we use the following statement to invite you to express your preference for how you would like us to retain contact with you:
Please tell us if you would be happy for us to contact you with this information:
In this way we give you the opportunity to opt in or opt out of further communications with us, and to express your preferred method of communication. If you have opted in to further communications we will automatically invite you to update this option every two years; or at any appropriate earlier time that is required; or at any appropriate later time in the case of multi-year funding commitments.
We may share your information with our data processors. Our data processors are organisations which carry out fulfilment activity for us such as sending out running vests and processing our thank-you letters (Orbital); or carry out marketing services such as sending out mass emails, subject to your communication preferences and our internal policies and procedures (Force 24).
We may also disclose your personal information to third parties if we are required to do so by a legal obligation (for example to the Police or a government body); or to enable us to enforce or apply our terms and conditions or rights under an agreement; or to protect us, for example, in the case of suspected fraud or defamation.
We will not share your information for any other purposes.
Many of our supporters who participate in events to raise funds for Tommy’s set up a personal page on a specialist website (JustGiving or Virgin Money Giving) designed to help individuals and charities raise money and maximise the use of Gift Aid. Personal data (see Paragraphs 3 and 4) provided by Tommy’s supporters for this purpose to JustGiving and Virgin Money Giving is passed to Tommy’s. We store this information in our database and use it to communicate with our supporters about their fundraising activities.
Some of our fundraising activities are set up for young children to participate in with their parent or guardian. Parents or guardians entering their children in one of these events will be asked on the relevant fundraising page (JustGiving or Virgin Money Giving), or on their sponsorship form, if they wish to share the child’s first name with us. If the parent or guardian gives us the child’s name, we add it to our database and we share the name with Orbital (see above, acting on behalf of Tommy’s) so that they can produce a personalised certificate of thanks for the child at the end of the event to mark their achievement. We will never make contact with the child. If the parent or guardian later exercises his or her right to opt out of communication with Tommy’s the name of the child will remain on their parents’ record. We will tell parents why we are asking for the child’s name and they will have the option not to share that information with us.
Our aim is for all information that we hold about you to be accurate and, where necessary, kept up-to-date. If any of the information we hold about you is inaccurate and either you advise us of this or we become aware in another way of its inaccuracy, we will ensure it is updated as soon as possible.
We may process data about children under the age of 16, usually where such data is given to us by parents or guardians in the course of participating in fundraising events. For example, occasionally our sponsorship forms may request the name of a child involved in raising money. Where a child’s name is disclosed to us we use the information only for the purpose of thanking them.
We do not routinely collect dates of birth for supporters (eg our runners, or our donors). Therefore, unless we are given cause to believe a supporter is under 16 we may maintain the same communications with them as with our adult supporters.
However, if we believe a supporter or donor may be under the age of 16 we take all reasonable care to establish whether their contact with us is made under the supervision of a teacher, parent or guardian. Younger children only participate in our events and fundraising activities in the presence of, or under the guidance of, a parent or guardian.
Sometimes people choose to donate to Tommy’s in memory of a baby who has died. They may do this, for example:
- By setting up an ‘In Memoriam’ page via JustGiving, or
- By writing to Tommy’s directly enclosing a cheque for funds donated at a funeral.
We capture and process the information provided to us for this purpose to make sure we are sensitive and respectful in our communications with these supporters, for example empathising with their loss; thanking them for choosing to support Tommy’s; and letting them know who they can contact in Tommy’s for support and advice.
We recognise the importance of protecting our vulnerable supporters and follow the Code of Fundraising Practice in the UK issued by the Fundraising Regulator on treating donors fairly. We believe this helps to support our staff and professional fundraisers (who may not be directly employed by Tommy’s) who come into contact with supporters to provide high quality customer care, ensuring anyone donating to the Charity is in a position to make a free and informed decision. If an individual appears vulnerable we will offer them a cooling-off period, or more time before taking a donation. If we believe the individual lacks the mental capacity to make a decision we do not take a donation.
Identifying prospective donors is necessary to securing donations from trusts and major gifts (currently defined as gifts of £1,000 or more) from individuals, so that we can grow our income and meet Tommy’s charitable objectives.
Our approach to prospect research complies with current law; we will update our approach should the legal position change.
Prospect research helps us to
- identify if a potential donor may have the capacity and propensity to give major gifts to Tommy’s; and
- identify how best to approach them.
Prospect research includes manually gathering public and freely given information from the Internet, from Tommy’s contacts and from Tommy’s own donor records, and creating profiles to help us identify individuals, trusts, foundations and corporations able to give at this level. This means that we:
- Create short profiles of potential donors, using public and freely given sources of data to identify people who may be able and predisposed to give major gifts. These data sources may include:
- Charity Commission data (which identifies trustees of grant-giving trusts, and charitable aims)
- Other sources of information about charitable trusts’ giving, for example trustfunding.org.uk, trust websites, charity trade press
- Companies House data (which identifies company directors)
- Company and charity websites which profile, for example owners, senior partners, or Trustees
- News articles about business, financial or philanthropic decisions
- Public media where individuals have volunteered information about their interest or experience with pregnancy complications, for example interviews where individuals have spoken publicly about miscarriage
- Public social media accounts, eg a company’s Facebook or LinkedIn page, or an individual’s Twitter account which has a primarily professional function.
- Create queries on our database to identify past donors who may have given at major-gift level in the past, and therefore could do so again
- Review lists of individuals signing up to Tommy’s fundraising events (and have opted in to communications) to look at the reasons that people give, their job titles, their family name (if they are well-known/in the public eye) and postcodes. We use this information to target personalised invitations to engage further with Tommy’s at those who are most likely to be interested.
- Identify where our Trustees, Fundraising Board or staff may be able to help with an introduction, for example because they move in the same professional social circles as a potential donor.
We do not seek consent to our prospect-research activities as defined above, because we believe we have legitimate interest which is not over-ridden by the individual’s fundamental rights (see Paragraph 7). Here are the balancing exercises which guided this decision in respect of prospect research.
For prospect-research purposes we gather sensitive data only in the form of information about experience of pregnancy complications which the subject has willingly put in the public domain, or shared with Tommy’s. We do not:
- Gather data from personal sources such as personal Facebook and Twitter accounts
- Conduct automated wealth-screening using external agencies.
We want all individuals who come into contact with Tommy’s to have a positive experience, whether or not they are donors. We believe that the way we carry out prospect research will help us to identify potential donors efficiently, and to avoid making inappropriate or excessive approaches.
We will keep your information for as long as we need to, in order to deliver our services. We will take into consideration our legal obligations and tax and accounting rules when determining how long we should retain your information.
By using our website, social media pages, entering a competition or providing your information you consent to our collection and use of the information you provide in the ways set out in this policy. If you do not agree to this policy please do not use our website, social media pages or services.
For all areas of our website which collect personal information, we use a secure server. Although we cannot 100% guarantee the security of any information you transmit to us, we enforce strict procedures and security features to protect your information and prevent unauthorised access.
We use Fat Beehive to help us with our web design, and Force 24 to help us gather data submitted by our website users.
A cookie is a small file of letters and numbers that we may put on your computer or mobile device when you access our website. Cookies allow us to distinguish you from other users of the website, helping us to provide you with a good experience when you browse our website and also allowing us to improve our site. For example, they will tell us whether you have visited our site before or whether you are a new visitor. Another example is enabling us to show you articles that you have recently read, so that you can access them again more easily.
Cookies can be set by the website you are visiting (first-party cookies) or by other websites (third-party cookies) whose content we are hosting, eg YouTube.
Most web browsers allow at least a degree of control over cookies through their settings. You can opt to receive an alert whenever a cookie is set or to disallow the setting of cookies altogether. You can also delete all existing cookies.
You can prevent the setting of cookies by adjusting the settings on your browser (see your browser Help for how to do this). Be aware that disabling cookies will affect the functionality of Tommy’s website and many other websites that you visit. For information about how to manage or delete cookies for your particular browser, please refer to the browser’s help section. Alternatively you can visit www.aboutcookies.org, which has comprehensive information on how to manage cookies on a wide variety of desktop browsers.
We may update the terms of this policy at any time, so please do check it from time to time. We will notify you about significant changes in the way we treat personal information by sending a notice to the primary email address you have provided to us, or by placing a prominent notice on our website(s). By continuing to use our website you will be deemed to have accepted such changes.
We review our application of this policy in three ways:
- Every four years we review our approach to consent and the balancing of legitimate interest with the rights and interests of the individual. If the balancing exercise indicates a different approach would be appropriate we change our approach accordingly.
- We monitor and regularly assess your feedback. If the feedback assessment indicates a different approach would be appropriate we change our approach accordingly.
- We review this policy if there is a change in the law that requires us to do so.
You have the right to:
- Request a copy of the information we hold about you
- Update or amend the information we hold about you if it is wrong
- Change your communication preferences at any time
- Ask us to remove your personal information from our records: in these circumstances we would retain your name, home address and email address on a ‘suppression list’ of individuals with whom we will not make any future contact
- Object to the processing of your information for marketing purposes, or
- Raise a concern or complaint about the way in which your information is being used.
If you wish to find out more about these rights, or to obtain a copy of the information we hold about you, please contact us at:
Private Information Request
3 Laurence Pountney Hill
Tel: 0207 398 3461
Email: [email protected]
If you have any questions or queries about this Privacy and Data Protection Statement, please contact the Data Controller at the above address and contact details.