- Who we are and what we do
- Data protection regulation
- What personal data does Tommy’s collect?
- What sensitive personal data does Tommy’s collect?
- Whose data do we collect?
- Definitions of processing and direct marketing
- How do we use the information we process?
- Consent and legitimate interest
- Your preferences
- Who do we share your information with?
- Children’s data
- Vulnerable supporters’ data
- In memoriam
- The accuracy of the information we hold about you
- Prospect research
- Automated decision-making
- Storing your information outside the EEA
- For how long do we keep your personal data?
- Our website and social media
- Recording and reporting data breaches and near misses
- Policy changes
- Your rights, including how to complain
Tommy's exists to save babies' lives. We fund research into the causes and prevention of pregnancy complications that lead to miscarriage, stillbirth and premature birth. We also provide pregnancy health information for parents-to-be.
Tommy’s is registered as a charity in England and Wales (registered charity number 1060508), and in Scotland (registered charity number SC039280). We are also registered as a company limited by guarantee (company number 3266897).
We also have two wholly owned subsidiary companies of Tommy’s. These are:
- The Baby Fund Trading Limited (registered company in England and Wales number 2557706), to record our activity classed as trading including the selling of sponsorship rights, and
- LLHM Limited (registered company in England and Wales number 10584979), to manage our event-driven activity, specifically the London Landmarks Half-Marathon.
At Tommy’s we protect your rights and we provide you with a clear route to contact us about the data we process that relates to you personally.
In carrying out our day-to-day activities we process and store personal information relating to our supporters and we adhere to the requirements of the Data Protection Act 2018 (DPA) and the General Data Protection Regulation 2018 (GDPR).
We take our responsibilities under data protection regulation seriously and we ensure the personal information we obtain is held, used, transferred and otherwise processed in accordance with those regulations and all other applicable data protection laws and regulations including, but not limited to, the Privacy and Electronic Communication Regulations.
The type of communications and information you receive about our charity and the ways in which you can get involved are your choice. You can change your mind at any time, or ask to see the information we hold about you, by contacting the Data Controller: Tommy’s, Nicholas House, 3 Laurence Pountney Hill, London, EC4R 0BB, or by phone on 0207 398 3461 or via email at [email protected].
Personal data is information that can be used to identify you.
Tommy’s collects the following information which the GDPR classes as personal information:
- Your name
- Date of birth
- Email address
- Postal address
- Bank account details
- Mobile and landline telephone numbers
- Marital status
- Emergency contact name and number.
Tommy’s also collects the following information:
- Details of any opt-in and opt-out preferences you have communicated to us
- Details of any gifts you have given to Tommy’s
- Whether or not you are a UK tax-payer (so that we know whether or not we can claim Gift Aid)
- Details of any Tommy’s events you have participated in
- Notes relating to our relationship with you. Examples of this could be: - correspondence between you and Tommy’s or connections between you and other individuals or organisations known to Tommy’s, and
- Your job title and your employer (if you give us this information)
- The reason you give us for supporting Tommy’s
- Data gathered through prospect research
- Photographs and, in the case of certain events, film.
We collect this personal information about you when you ask about our activities, register with us (for example, registering on an app, or sign up to receive pregnancy information), make a donation to us, register for an event, engage with our social media or message boards, order products and services (such as publications and email newsletters), otherwise give us personal information, or become known to us as someone who might consider connecting with Tommy’s in some way.
In recording this information, we apply all the usual data protection principles outlined in this policy, so people sharing this information can feel confident that this information will not be used or stored inappropriately, and they retain the right to access this information or to request its removal at any time.
Tommy’s also collects the following information from your use of our website:
If you do nothing other than read pages or download information from our website, we gather information about this use, such as which pages are most visited and which events or activities are of most interest. We use this information to improve our website and services and ensure we provide you with the best service. The information we use for this purpose is aggregated or anonymised, ie it will not identify you as an individual visitor to our website.
Tommy’s also collects credit and debit card information for those who donate to, or buy from, Tommy’s:
If you use your credit or debit card to donate to us, buy something or pay online or over the phone, we will ensure that we manage this securely and in accordance with the Payment Card Industry Data Security Standard.
If you are a direct-debit donor, access to your bank details is restricted so that only the team that processes details can access it. If you have made a donation via direct debit, your bank details will be deleted seven years after the end of the financial year that your direct debit was cancelled in, in order for the charity to meet its audit and tax requirements. If you have never successfully made a donation, your bank details will be deleted at the end of the financial year in which your direct debit was cancelled.
We do not store your credit or debit card details at all following the completion of your transaction: all card details and validation codes are securely destroyed once the payment or donation has been processed. Only those staff authorised to process payments will be able to see your card details. If we receive an email containing any credit or debit card details the email will be immediately deleted, no payment will be taken and you will be notified about this.
We do not store your financial information for longer than we need to.
Sensitive personal data, as defined by the GDPR, comprises:
- Physical or mental health or condition
- Sexual life
- Racial or ethnic origin
- Political opinions
- Religious or similar beliefs
- Trade union membership
- The commission or alleged commission by the data subject of any offence, or any ongoing proceedings for any offence.
Tommy’s collects the following sensitive personal data:
- Medical information (physical or mental health or condition) about employees and race participants who share their medical information with us
- Pregnancy experiences (including pregnancy loss) about people who share this information with us.
We collect sensitive personal data about our supporters only if there is a clear reason for doing so:
- We collect medical information in respect of employees to help us discharge our duty of care, within the provisions of the Access to Medical Reports Act.
- Where Tommy’s acts as Race Organiser we collect information about any disability you may have if you are planning to participate. We pass this information on to our Event Management Company and the Event Medical Director, to ensure we provide appropriate support to enable you to participate.
- We collect sensitive personal data in the form of information about supporters’ pregnancy losses and live babies. We use this data on individuals’ personal experiences to ensure we provide a sensitive, caring and personalised supporter experience to them. Supporters appreciate it when we remember the name of their children, and we could cause distress if we did not remember that they had lost a baby.
We collect sensitive information about specific health conditions or lifestyle issues that can affect pregnancy outcomes. We do this for the purpose of gathering feedback that will enable us to improve information we publish, and/or to provide tailored information to you to support you with respect to your condition. If we share this data with our research centres or other organisations we do so in an anonymised, aggregated manner.
We collect information about:
- Visitors to our websites and owned social-media channels (eg Tommy’s Facebook page, Twitter and Instagram)
- Our supporters (including our past and present donors, event participants, individuals giving non-financial assistance), prospective supporters, partners and beneficiaries and members of the public who make contact with us, including those who share their personal stories with us
- Complainants and other individuals in relation to a data protection or subject access request or other enquiry
- Applicants for jobs with Tommy’s, and
- Tommy’s employees.
- ‘Processing data’ means any operation or set of operations which is performed on personal data or on sets of personal data such as collection, recording or holding information, or disclosing or destroying the information.
Examples of Tommy’s data processing practices include: sending a thank-you letter to acknowledge a donation; sending race details to race participants; sending out materials requested for fundraising purposes; sending out advance-notification letters for direct-debit purposes; providing fundraising support for those who have opted to fundraise for Tommy’s; making a request for financial support from a known supporter.
- ‘Direct marketing’ means communicating any advertising or marketing material which is directed to particular individuals.
We process your information in the following ways:
In the provision of services, products or information you have requested:
- To process any donation(s) we receive from you
- To ask you to help us raise money, donate money to our charity or provide non-financial assistance (but always in accordance with your marketing preferences)
- To provide to you information about our work or our activities, if you have asked to receive this information
- To send you items you have requested by telephone or via our website
- To analyse and improve the services we offer
- To provide tailored or general support to you in (a) having a premature baby and (b) having a healthier pregnancy with lower risk of adverse outcomes
- To provide you with information about and allocate you appropriate volunteering opportunities where you have requested us to do so.
For administration purposes:
- We contact donors about donations they have made
- We contact supporters about events they have expressed an interest in or registered for
- We send information to event participants about the race or other event they are participating in
- We keep internal records for managing complaints or other feedback
- We record website traffic to personalise the way our information is presented to you
- We get in touch with an emergency contact if required
- We confirm eligibility requirements for event or volunteering opportunities supporters have expressed an interest in.
For legal purposes:
- Where the processing is required or authorised by law
- For credit risk reduction or fraud prevention (regrettably some people target charities for illegal purposes such as money laundering, and we are therefore required to monitor financial activity and report suspected fraud to the appropriate authorities).
For marketing purposes:
- We supplement or add to the information we hold about supporters and potential supporters with information that is available through, or that we receive from, other sources, eg public registers, or third-party information services. This allows us to send supporters the most relevant information and promote those fundraising opportunities that we believe they are most likely to be interested in.
- We contact supporters and potential supporters by mail, email, phone, text or social messaging, seeking consent if we are required to do so.
- If you share a personal story with us via our website or social media channels we may invite you to consent to future communications from us and to sharing your story more widely. Sometimes Tommy’s is invited by journalists to contribute to news stories relating to our cause, and in this situation we may invite you to participate or to allow us to use your story for these purposes.
- We use the information for prospect research purposes. Prospect research means gathering and reviewing freely given, publicly available data (from sources such as news articles, the Charity Commission, Companies House) to identify individuals and organisations who may have the capacity and inclination to give a major gift to Tommy’s. Gathering such data helps us to approach potential donors in the right way, and avoid excessive and inappropriate approaches.
For fundraising purposes:
- We advise you on setting up a fundraising page
- We offer you fundraising materials to help you with your fundraising
- We advise you on the best ways to fundraise
- We make you aware of your obligations, where Tommy’s has purchased your fundraising place.
For the management of applications for jobs at Tommy's
Our recruitment process comprises:
- Collecting CVs and other information provided by job applicants (often this is forwarded to us by recruitment consultancies)
- Conducting interviews at which notes are taken and, in some cases,
- Inviting applicants to participate in psychometric assessments.
If the candidate is unsuccessful in his or her application, a single hard copy or electronic copy of all such information (including the result of any psychometric assessment) is held by the HR Manager in a password-protected digital folder or locked drawer for six months, and then securely destroyed.
We do not need your consent to process your data for legal purposes, or for many administrative purposes, but in some cases we do need your consent for data processing, including direct-marketing purposes.
We carry out a balancing exercise to assess whether or not we need your expressed consent to conduct our activities. To do this, we consider both the content of the personal data that we collect and the way in which we wish to use that data.
- In some cases our balancing exercise concludes that opt-in consent is required, for example for most direct-marketing activities. Where consent is required we ensure that no direct marketing takes place unless you have ‘opted in’.
For example we may wish to contact a donor who has given to Tommy’s in the past to ask them for further support, because people who have previously given are statistically more likely to support the same charity again, and this will help us to increase our funds raised. Our balancing exercise shows that:
- We may contact such a supporter by post without seeking express consent, so long as the number of letters is proportionate to how recently the donor gave to Tommy’s (for example a donor who gave to us five years ago would not expect to receive more than one letter a year).
- But the donor’s right to privacy and reasonable expectations over-ride Tommy’s interest in continuing contact with them by telephone or by email, and we would not therefore make any contact by these means without express consent.
- In other cases our balancing exercise concludes that opt-in consent is not required for us to process the data, because we have a legitimate interest in processing the data that is not overridden by the individual’s rights and interests.
For example, if we receive information about a new donor who wants to make monthly donations we will add the donor’s details to our database and use this information to issue BACS instructions to the bank. We do this in order to claim the regular gift that the donor wishes to make.
Our balancing exercise shows that Tommy’s has a legitimate interest in processing the donor’s data, in order to facilitate the regular payments the donor wants to make. This legitimate interest is not over-ridden by the individual’s rights and interests.
On all our fundraising forms we use the following statement to invite you to express your preference for how you would like us to retain contact with you:
Please tell us if you would be happy for us to contact you with this information:
In this way we give you the opportunity to opt in or opt out of further communications with us, and to express your preferred method of communication. If you have opted in to further communications we will automatically invite you to update this option every two years; or at any appropriate earlier time that is required; or at any appropriate later time in the case of multi-year funding commitments.
We share your information with our data processors. Our data processors are organisations which carry out fulfilment activity for us such as sending out running vests and processing our thank-you letters (Orbital); or carry out marketing services such as sending out mass emails, subject to your communication preferences and our internal policies and procedures (Adestra).
To provide tailored information to support you through conception or pregnancy we build and automate communications that are tailored to answers you have given about your health and lifestyle. To set up these communication streams, we use organisations such as Fat Beehive, which manages our Content Management System, Adestra, which owns our email communication system and Thrive, which builds and automates email communications.
We also disclose your personal information to third parties if we are required to do so by a legal obligation (for example to the Police or a Government body); or to enable us to enforce or apply our terms and conditions or rights under an agreement; or to protect us, for example, in the case of suspected fraud or defamation.
We share data relating to specific health conditions or lifestyle issues with our research centres, but we will only ever do this in an anonymised, aggregated manner.
We do not share your information for any other purposes.
Many of our supporters who participate in events to raise funds for Tommy’s set up a personal page on a specialist website (JustGiving or Virgin Money Giving) designed to help individuals and charities raise money and maximise the use of Gift Aid. Personal data provided by Tommy’s supporters for this purpose to JustGiving and Virgin Money Giving is passed to Tommy’s. We store this information in our database and use it to communicate with our supporters about their fundraising activities.
Some of our fundraising activities are set up for young children to participate in with their parent or guardian. Parents or guardians entering their children in one of these events will be asked on the relevant fundraising page (JustGiving or Virgin Money Giving), or on their sponsorship form, if they wish to share the child’s first name with us. If the parent or guardian gives us the child’s name, we add it to our database and we share the name with Orbital (see above, acting on behalf of Tommy’s) so that they can produce a personalised certificate of thanks for the child at the end of the event to mark their achievement. We will never make contact with the child. If The child’s name will be deleted from our database twelve months after the event, once all of the thanking has been completed. We will tell parents why we are asking for the child’s name and they will have the option not to share that information with us.
These ‘thon’ fundraising events are held in partnership with a range of organisations including Water Babies, Baby Ballet, Jo Jingles and WOW World Group. We share your details (including your contact details and the amount that you and your child have fundraised) with the relevant franchise with which you have participated, in order to ensure that you are considered for any prizes and incentives that the partner organisation is offering to reward participation in the fundraising event.
Children under the age of 16 only participate in our events and fundraising activities in the presence of, or under the guidance of, a parent or guardian. The only exception to this is Tommy’s volunteering roles at the London Landmarks Half Marathon, where a ‘child’ is defined as anyone under the age of 18. We therefore only process data about children if such data is given to us by parents or guardians in the course of participating in fundraising events. Occasionally our sponsorship forms may request the name of a child involved in raising money. Where a child’s name is disclosed to us we use the information only for the purpose of thanking them.
We collect dates of birth only where relevant for supporters, unless we are given cause to believe a supporter is under 16. Therefore we will not normally know supporters’ ages, and in the absence of this knowledge we maintain the same communications with all supporters.
However, if we believe a supporter or donor may be under the age of 16 we take all reasonable care to establish whether their contact with us is made under the supervision of a teacher, parent or guardian.
We recognise the importance of protecting our vulnerable supporters and we follow the Code of Fundraising Practice in the UK issued by the Fundraising Regulator on treating donors fairly. We believe this helps to support our staff and professional fundraisers (who may not be directly employed by Tommy’s) who come into contact with supporters to provide high quality customer care, ensuring anyone donating to the Charity is in a position to make a free and informed decision. If an individual appears vulnerable we will offer them a cooling-off period, or more time before taking a donation. If we believe the individual lacks the mental capacity to make a decision we do not take a donation.
Sometimes people choose to donate to Tommy’s in memory of a baby who has died. They may do this, for example:
- By setting up an ‘In Memoriam’ page via JustGiving, or
- By writing to Tommy’s directly enclosing a cheque for funds donated at a funeral.
We capture and process the information provided to us for this purpose to make sure we are sensitive and respectful in our communications with these supporters, for example empathising with their loss; thanking them for choosing to support Tommy’s; and letting them know who they can contact in Tommy’s for support and advice.
Our aim is for all information that we hold about you to be accurate and, where necessary, kept up-to-date. If any of the information we hold about you is inaccurate and either you advise us of this or we become aware in another way of its inaccuracy, we will ensure it is updated as soon as possible.
Identifying prospective donors is necessary to securing donations from trusts and major gifts (currently defined as gifts of £1,000 or more) from individuals, so that we can grow our income and meet Tommy’s charitable objectives.
Our approach to prospect research complies with current law; we will update our approach should the legal position change.
Prospect research helps us to
- Identify if a potential donor may have the capacity and propensity to give major gifts to Tommy’s; and
- Identify how best to approach them.
Prospect research includes manually gathering public and freely given information from the Internet, from Tommy’s contacts and from Tommy’s own donor records, and creating profiles to help us identify individuals, trusts, foundations and corporations able to give at this level. This means that we:
- Create short profiles of potential donors, using public and freely given sources of data to identify people who may be able and predisposed to give major gifts. The type of information we may collect in profiles includes:
- Career history, areas of interest, connection to Tommy’s
- Gift capacity based on visible assets and previous charitable giving
The data sources we use include
- Charity Commission data (which identifies trustees of grant-giving trusts, and charitable aims)
- Other sources of information about charitable trusts’ giving, for example trustfunding.org.uk, trust websites, charity trade press
- Companies House data (which identifies company directors)
- Mint UK (a comprehensive database of UK companies)
- Company and charity websites which profile, for example owners, senior partners, or Trustees
- News articles about business, financial or philanthropic decisions
- Public media where individuals have volunteered information about their interest or experience with pregnancy complications, for example interviews where individuals have spoken publicly about miscarriage
- Public social media accounts, eg a company’s Facebook or LinkedIn page, or an individual’s Twitter account which has a primarily professional function.
- Create queries on our database to identify past donors who may have given at major-gift level in the past, and therefore could do so again
- Database postcode reviews of current donors
- Review lists of individuals signing up to Tommy’s fundraising events (and have opted in to communications) to look at the reasons that people give, their job titles, their family name (if they are well-known/in the public eye) and postcodes. We use this information to target personalised invitations to engage further with Tommy’s at those who are most likely to be interested.
- Identify where our Trustees, Fundraising Board or staff may be able to help with an introduction, for example because they move in the same professional social circles as a potential donor.
We do not seek consent to our prospect-research activities as defined above, because we believe we have legitimate interest which is not over-ridden by the individual’s fundamental rights.
For prospect-research purposes we gather sensitive data only in the form of information about experience of pregnancy complications which the subject has willingly put in the public domain, or shared with Tommy’s. We do not:
- Gather data from personal sources such as personal Facebook and Twitter accounts
- Conduct automated wealth-screening using external agencies.
We want all individuals who come into contact with Tommy’s to have a positive experience, whether or not they are donors. We believe that the way we carry out prospect research will help us to identify potential donors efficiently, and to avoid making inappropriate or excessive approaches.
Tommy’s does not carry out profiling or take significant decisions about individuals by wholly automated means.
An organisation may transfer your personal data to a country outside the European Economic Area (EEA), if one of the following conditions applies:
- The country to which your personal data is transferred ensures an adequate level of protection for your rights and freedoms; or
- You have given the organisation your consent; or
- The transfer is necessary for one of the reasons set out in the GDPR, including the performance of a contract between you (the data subject) and us, or to protect your vital interests;
- The transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims; or
- The transfer is authorised by the relevant data protection authority where there are adequate safeguards with respect to the protection of your privacy, your fundamental rights and freedoms, and the exercise of your rights.
Tommy’s does not currently store or transfer your personal data to a country outside the EEA.
Some information which we hold is only required for a short-period of time and will be deleted once its purpose is fulfilled. This data relates to the collection of children’s names as part of our “Thon” thanking, and also to bank details for direct debit donors that never make a payment to the charity. Both of these have been discussed in greater detail in earlier sections of this policy.
However, as we strive not to collect more information about you than we need, most of the information we hold (such as contact information, gift records, tax status, participation in events, notes of email exchanges, reasons for support, record of marketing preferences, lists of communications you have received from us and whether or not you opened them) is deemed critical to our stewardship of you. Many of these data classes also have to be retained to enable us to meet our legal, regulatory and financial requirements. This data will be deleted after seven years if we have had no contact or interaction with you and you have opted out of marketing communications. This retention period has been determined with consideration for our legal obligations and tax and accounting rules, and we reserve the right to change it to reflect subsequent changes in those rules and obligations.
However, if you ask us to remove your personal information from our records we will make efforts to ensure we have identified the correct record on our system, and we will review the data to ensure that we are not required to hold it for legal or financial reasons.
If, once these actions have been taken, we determine that we have no legal or financial obligation to keep your data, we will delete the information we hold about you from our records. The only exception to this will be if we are required to keep a record of your gifts for Gift Aid and financial audit purposes, in which case we will anonymise your record and retain the relevant data in a locked note which can only be accessed by a relevant employee.
For all areas of our website which collect personal information, we use a secure server. Although we cannot 100% guarantee the security of any information you transmit to us, we enforce strict procedures and security features to protect your information and prevent unauthorised access.
We use Fat Beehive to help us with our web design, and Adestra to help us gather data submitted by our website users and those who open and interact with our email communications.
We record and report any data breach or near miss in accordance with our Personal Data Breach Policy
We may update the terms of this policy at any time, so please check it from time to time. We will notify you about significant changes in the way we treat personal information by sending a notice to the primary email address you have provided to us, or by placing a prominent notice on our website(s). By continuing to use our website you will be deemed to have accepted such changes.
Self-employed contractors and volunteers are notified of their responsibilities when they begin delivering services to Tommy’s or volunteering with Tommy’s. Breach of this policy by a contractor or volunteer will normally result in the termination of the Contract for Services or the Volunteering Agreement.
We review our application of this policy in three ways:
- Every two years we review our approach to consent and the balancing of legitimate interest with the rights and interests of the individual. If the balancing exercise indicates a different approach would be appropriate we change our approach accordingly.
- We monitor and regularly assess your feedback. If the feedback assessment indicates a different approach would be appropriate we change our approach accordingly.
- We review this policy if there is a change in the law that requires us to do so.
You have the right to:
- Request a copy of the information we hold about you. Here is our Subject Access Request Policy
- Update or amend the information we hold about you if it is wrong
- Change your communication preferences at any time
- Ask us to remove your personal information from our records (eg withdraw your consent)
- Restrict or suppress our use of your personal data for a certain period of time, in certain circumstances
- Object to the processing of your information for marketing purposes
- Raise a concern or complaint with Tommy’s Data Protection Officer on [email protected] about the way in which your information is being used, or
- Complain to the ICO on the ICO helpline 0303 123 1113 or at www.ico.org.uk/make-a-complaint if you have concerns about an organisation’s practices in relation to information rights.
3 Laurence Pountney Hill
Tel: 0207 398 3461
Email: [email protected]
Data Protection Officer:
ℹLast reviewed on March 27th, 2019.