How we keep your personal information safe
At Mencap, we are committed to respecting your privacy and protecting your personal information. We promise to respect all personal information that you share with us, or we receive from other organisations, and keep it safe. We will be clear when we collect your personal information and we will not do anything you would not reasonably expect us to.
Controller of personal information
We are Royal Mencap Society (registered company in England and Wales no. 00550457) and we are the UK’s leading charity for people with a learning disability. Our registered charity numbers are 222377 in England and Wales, and SC041079 in Scotland.
Royal Mencap Society is registered as a data controller with the Information Commissioner’s Office under the Data Protection Act 1998 and our registration number is Z5709720.
Golden Lane Housing Limited (registered company in England and Wales no. 03597323) and Mencap Trust Company Limited (registered company in England and Wales no. 01233201) are wholly owned subsidiaries of ours which trade on our behalf. That means they are part of Royal Mencap Society, and we own them – we are their ‘parent’.
Why we collect your personal information
Basically, to improve the way we communicate and work with you.
Our vision is a world where people with a learning disability are valued equally, listened to and included. We need you to help us make this a reality, and collecting your personal data enables us to learn what different choices of communication work best. This also means we save money that can be used to directly support people with a learning disability. Find out more about how we fundraise in our fundraising promise.
So, to summarise: when you use our website or services, you are agreeing for us to store and process your personal data. The ways we do that are explained in this policy – it is a guide for us to follow too, and we take it very seriously.
Where we collect your personal information from
You have the right to be informed about the collection and use of your personal information.
When we collect personal information from you, we will provide you with privacy information at the time we obtain your information.
When we obtain your personal information from a source other than you, we will provide you with privacy information:
• Within a reasonable period of us obtaining the personal information and no later than one month;
• If the information is used to communicate with you, at the latest, when the first communication takes place; or
• If disclosure to someone else is envisaged, at the latest, when the data is disclosed.
There are two main ways in which we collect personal information about you: directly or indirectly, including the use of third parties.
When you give your personal information to us DIRECTLY:
You may give us your information in order to sign up for one of our events, tell us your story, register on our website, request a service from us, fundraise on our behalf, sign up to a campaign, donate goods to our charity shops and add Gift Aid to your donation, make a donation, purchase our products or communicate with us. Sometimes when you support us, your information is collected by an organisation working for us (e.g. a professional fundraising agency), but we are responsible for your data at all times.
When you give your personal information to us INDIRECTLY:
When you give permission to OTHER ORGANISATIONS to share or it is available publicly:
We may combine information you provide to us with information available from external sources in order to gain a better understanding of our supporters to improve our fundraising methods, products and services.
The information we get from other organisations may depend on your privacy settings or the responses you give, so you should regularly check them. This information comes from the following sources:
Third party organisations
This means other organisations that we collect data from, but only when you have given them permission to do this. You may give these organisations permission at various times, for example when buying something from a mail order catalogue or joining certain membership organisations. The data we receive depends on your agreement with the organisation.
We may also collect information from online social media and messaging services you use, such as Facebook, WhatsApp or Twitter, where you have given us permission to do so, or if you post on one of our social media pages.
Information available publicly
When building a profile, we may analyse geographic, demographic and other information relating to you in order to better understand your interests and preferences to contact you with the most relevant communications. In doing this, we may use additional information from third party sources when it is available. Such information is compiled using publicly available data about you, for example: addresses, listed Directorships or typical earnings in a given area.
Our profiling methods and analysis activities can be categorised in the following five ways:
1. Data Matching
We may use the personal information an individual has given us in conjunction with data that has been obtained indirectly from external sources in order to infer likely social, demographic and financial characteristics. This allows us to tailor communications with a better degree of relevancy to better meet the expectations and desires of the individual and other individuals in similar circumstances. We will not use this data in any way that might intrude upon an individual’s rights or be considered inappropriate.
We analyse supporters by group, post code or geodemographic area where more generous supporters may be situated. This enables us to better tailor relevant campaigns and mailings for those most likely to be interested and get involved. This is not designed to identify any specific individuals, but rather many individuals who may lie in a particular segment of supporters.
3. Major Donor Analysis
We may research prospective supporters to determine whether the individual could potentially become a major donor. We may utilise publicly available information from third party sources, such as Google, news articles, Companies House, published literature and social networking platforms. This information can include: history of donations to or associations with charities; how the individual is connected to us and other charitable organisations; areas of interest; stature in their field of expertise; gift capacity; any publicly known affiliations with not-for-profit or philanthropic bodies.
4. Event Planning
We may use profiling to create short biographies of individuals who are attending events of ours or are due to meet with members of our leadership for the purpose of understanding more about the people we are engaging with.
5. Ethical Screening and Minimising Risk
We are subject to many legal and regulatory obligations and standards. Especially considering that it is our mission to improve the lives of people with learning disabilities, the public naturally expects us to operate in an ethical manner. We employ appropriate due diligence of donors and donations as well as implementing robust financial controls that help protect Mencap from abuse, fraud and money laundering. We may ethically screen supporters to minimise the risk of associating ourselves with an individual or organisation that conflicts with the high standards we have set ourselves in our ethical policy. We do not accept donations from or hold/process any personal information of anybody that is under 16 years of age.
When we collect personal information as you use our WEBSITES OR APPS:
In addition, the type of device you’re using to access our website or apps and the settings on that device may provide us with information about your device, including what type of device it is, what specific device you have, what operating system you’re using, what your device settings are, and why a crash has happened. Your device manufacturer or operating system provider will have more details about what information your device makes available to us.
When you visit and look around our website, we record things like your IP (internet protocol) address – the unique number of the device you are using to access our website, which pages you visit (on our website only), when they were visited, and the type of device you were using. This information helps us create a better experience for everyone who uses our website.
Examples of the type of information that can be collected using your IP address include the type and version of your browser, and the location from which you are accessing our site. This helps us improve how our page templates appear and change content to make it relevant to our website visitors.
How we use your personal information
Personal information means any information that may be used to identify you, such as your name, title, telephone number, email address, or mailing address.
We may process your personal information for our legitimate business needs. Rest assured, our intentions are always good. We collect your personal information because we need it to help us fulfil your requests, keep in touch with you, and offer you communications that are relevant to you.
This includes things like:
• Where processing enables us to enhance, modify, personalise or otherwise improve our services/communications for the benefit of our supporters
• To better understand how people interact with our website
• To provide postal communications which we think will be of interest to you
• To determine the effectiveness of promotional campaigns and advertising
• Providing any information or services you have requested
• Activating your registration on FamilyHub (if you choose to join) – our online community for parents and family carers of children with a learning disability. For more information on guidelines about our FamilyHub forum, click here
• Processing financial transactions such as donations, entering a paid event or setting up a Direct Debit. This includes processing gift aid with HMRC if relevant
• Keeping a record of any communications between us and you, for example emails and phone calls
• Keeping a record of other interactions too, such as requests for leaflets or attending an event
• Managing and improving how we communicate with you – how you prefer to be contacted, and what information you want to receive. We might contact you about our campaigns, events, appeals, volunteering, news, information and advice, and games, as well as other ways you can support Royal Mencap Society
• Researching the interests, behaviours, demographics (for example, age, sex, income), and trends of the people who are using our information, and range of services, both support and non-support related. We may ask if you wish to take part in more research, such as surveys or focus groups, but this will be voluntary (your choice)
• Creating a profile of what we think might interest you, so that we can offer you relevant communications. We may use your previous activities or interactions with us to try and predict how you may respond to different activities
• Getting more information about you from third parties, such as your age, telephone number, email address, or new address if you move. This helps us keep our records up to date, ensuring we continue to send you the most relevant communications – if you have chosen to receive them
• Responding to complaints or queries and look into any legal claims.
Legitimate Interests means the interests of Mencap in the way we carry out our work to enable us to give you the best service/products and the best and most secure experience.
For example, we have an interest in making sure that any marketing we send to you is relevant, so we may process your information to send you marketing that is of interest to you.
When we process your personal information for our legitimate interests, we make sure to consider and balance any potential impact on you, and your rights under data protection laws. We will always ensure that your personal data will not be used where our interests are overridden by the impact on you, unless we have your consent or are required by law.
Whenever we process data for these purposes we will ensure that we always keep your personal information rights in high regard and take account of these rights. You have the right to object to this processing if you wish, and if you wish to do so please contact us. Please bear in mind that if you object this may affect our ability to carry out the tasks above for your benefit.
Sensitive personal information
Sometimes, we may ask you for more sensitive information, such as your personal connection to learning disability or your health condition if you are taking part in a sporting event. We will only collect this information with your permission and we will always take extra care of it.
Building profiles of supporters and targeting communications
We use profiling and screening techniques to ensure communications are relevant and timely, and to provide an improved experience for our supporters. Profiling also allows us to target our resources effectively, which donors consistently tell us is a key priority for them. We do this because it allows us to understand the background of the people who support us and helps us to make appropriate requests to supporters who may be able and willing to give more than they already do. Importantly, it enables us to raise more funds, sooner, and more cost-effectively, than we otherwise would.
When building a profile, we may analyse geographic, demographic and other information relating to you in order to better understand your interests and preferences in order to contact you with the most relevant communications. In doing this, we may use additional information from third party sources when it is available. Such information is compiled using publicly available data about you, for example addresses, listed Directorships or typical earnings in a given area.
Use of children’s data
We are committed to protecting the privacy of children and young people that engage with us, whether through our website, at fundraising events, through a project facilitated by Mencap, where we provide a care, support or youth service or where we provide information and advice.
We collect and store personal information about children and young people where we are contracted to provide a care and support service to them. We are required to process this personal information in order to fulfil the requirements of the care and support contract and to meet our regulatory obligations.
Where we are providing an information and advice service to children and young people, we will only process their personal information if we have written parental consent and if we need the data in order to provide a service to them.
If you sign up to join Family Hub, our online community for parents and family carers, you must be aged 16 or over.
If you want to participate in an event organised by Mencap, or a project facilitated by us, consent must be provided by the parent, guardian or carer if you are under the age of 16.
How we keep your personal information safe and who has access to it
We ensure that there are appropriate technical controls in place to keep your personal information safe and prevent unauthorised access to it. For example, our online forms are always encrypted (this prevents other people from accessing them) and our network is protected and checked often.
Any payment card details (such as credit or debit cards) we receive on our website are passed securely to our payment processing provider according to the Payment Card Industry Data Security Standards (PCI DSS).
Electronic data and databases are stored on secure computer systems and we control we has access to them. Our staff receive data protection training and we have data protection policies and procedures in place which teams are required to adhere to.
We regularly review who has access to information that we hold to ensure it is only accessible by trained staff, volunteers and contractors.
Where we use external companies to collect or process personal data on our behalf, we undertake comprehensive checks on these companies before we work with them, and put a contract in place that sets out our expectations and requirements, especially regarding how they manage the personal data they have collected or have access to.
When we share your personal information
We will not sell or rent your personal information to third parties for the purposes of marketing, and we will not share your personal information for others to use in their marketing or fundraising activities.
We may share your personal information with other companies (e.g. subcontractors, suppliers) who provide services on our behalf, including delivering postal mail, sending emails, analysing data and processing credit card payments. We will only provide those companies with the information they need to deliver the relevant service, and we will make sure that your data is treated with the same level of care as if we were handling it directly. These activities will be carried out under a contract which imposes strict requirements on our suppliers to keep your information confidential and secure.
We undertake comprehensive checks on these companies before we work with them and then work closely with them for the duration of our working relationship.
We may need to disclose your personal information if required to the police, regulatory bodies or legal advisors.
We will only ever share your data in other circumstances if we have your explicit and informed consent.
Some of our suppliers run their operations outside the European Economic Area (EEA). Although they may not be subject to the same data protection laws as companies based in the UK, we will take steps to make sure they provide an adequate level of protection in accordance with UK data protection laws.
By submitting your personal information to us, you agree to this transfer, storing and processing at a location outside the EEA.
How long we keep your personal information for
We will only retain your personal information for as long as it is required in relation to the purposes for which it was originally obtained.
How long personal information will be retained for depends on the type of information it is and what it is being used for. For example, if you ask us not to send you marketing emails, we will stop storing your emails for marketing purposes (although we will keep a record of your preference not to be emailed).
We will retain personal information in accordance with the time periods stipulated in our data retention policy. We will review our data retention periods for personal information on a regular basis.
We continually review the information that we hold, and delete anything that is no longer required. We never store payment card information.
Your legal rights
We want to ensure that you are always in control of your personal information.
Part of this is making sure that you understand your legal rights. We have outlined these overleaf, together with details as to how you can exercise them.
• The right to access your personal information
You have a right to obtain confirmation that your personal information is being processed. You also have the right to request a copy of the personal information that we hold about you.
When you are requesting a copy of the personal information that we hold about you, we will endeavour to provide you with the information you have requested without delay and in any event within one month of receiving your request.
We will not charge a fee for complying with a request unless the request is deemed to be manifestly unfounded or excessive.
• The right to edit and update your personal information
The accuracy of your personal information is important to us. You have the right to request that your personal information is rectified if it is inaccurate or incomplete.
We will endeavour to comply with your request without delay and in any event, within one month of receiving your request.
• The right to request to have your personal information erased (also known as the ‘right to be forgotten’)
You do not have an automatic right to have your personal information deleted. You do, however, have the right to request the deletion or removal of your personal information where there is no compelling reason for its continued processing. We will review each request on a case by case basis.
We will endeavour to comply with your request without delay and in any event, within one month of receiving your request.
• The right to restrict the processing of your personal information
You have the right to ‘block’ or suppress processing of your personal information. However, we will continue to store your personal information but not further process it. We do this by retaining just enough of your personal information so we can ensure that the restriction is respected in the future.
We will respond to your request within 21 days of receiving it, stating what we intend to do and, if we do not intend to comply with the objection, the reasons for our decision.
• The right to object to your personal information being used for direct marketing (including profiling) and processing for the purposes of scientific/historical research and statistics
You have the right to object to your personal information being processed for direct marketing purposes (including profiling) and scientific/historical research and statistics. From the very first communication from us and every marketing communication we send after, you will have the right to object to marketing.
We will stop processing your personal information for direct marketing purposes as soon as we receive an objection from you.
• The right to complain to a supervisory authority if you believe we have not handled your personal information in accordance with the data protection laws.
You can make a complaint or raise a concern about how we process your personal information by contacting our Data Protection Officer using the details set out below.
If you are not happy with how we have handled your complaint, or you believe that your data protection or privacy rights have been infringed, you have the right to complain to the Information Commissioner’s Office (ICO), which oversees the protection of personal data in the UK, or the Fundraising Regulator, which is responsible for overseeing fundraising activities carried out by charities in the UK.
Alternatively, you may choose to contact either the ICO or the Fundraising Regulator directly about your complaint, regardless of whether you have raised it with us first.
If you wish to exercise any of the rights outlined in this section, please write to Royal Mencap Society’s Data Protection Officer at the following address:
Data Protection Officer
123 Golden Lane
Or send an email to: firstname.lastname@example.org
Please keep in mind that there are exceptions to the rights outlined above and although we will always try to respond to your satisfaction, there may be situations where we are unable to do so.
Making changes to your personal information
Where possible, we use publicly available sources to keep your records up to date; for example, the Post Office’s National Change of Address database and information provided to us by other organisations.
If your personal details change, please help us to keep this information up to date by getting in touch and telling us:
Golden Lane Housing
Parkway 4, Parkway Business Centre
Princess Road, Manchester
Or send an email to: email@example.com
Updating your preferences and unsubscribing
You are in control of how we contact you, for example by post or email. And you can control this by contacting us or by creating an account on Royal Mencap Society’s website. If you want to stop receiving emails, click the ‘unsubscribe’ link at the bottom of any of our emails. We would rather you didn’t miss out, but we respect that this is your decision!
To make changes to the type of communications you get from us and how often you get it, please log in to your account here or contact our Supporter Care Team on firstname.lastname@example.org or 0845 077 0777.
Posting or sending inappropriate content
If you post or send any content that we believe to be inappropriate or content in breach of any laws, such as defamatory content, we may use your personal information to inform relevant third parties such as your internet provider or law enforcement agencies.