Privacy and Data Protection Policy

1.0 Who are we?

The Brain & Spine Foundation

The Brain & Spine Foundation (B&SF) is the Data Controller. B&SF is the only UK-wide charity providing information and support for every one of the over 470 neurological disorders which affect 1 in 6 people in the UK, and we are a registered charity no. 1098528 (England and Wales) regulated by the Charity Commission.

The B&SF is a company limited by guarantee, registered in England (No 4432677), and is based at 4th Floor, CAN Mezzanine, 7-14 Great Dover St, London SE14YR. We are registered with the Fundraising Regulator and follow their best practice code: Code of Fundraising Practice. We are registered with the Information Commissioner’s Office as a Data Controller under reference Z4759252 for all our activities.

This Privacy Policy primarily concerns the collection and use of data by the B&SF in respect of the NeuroLifeNow App, except where indicated. However, it is intended in the future that the B&SF will consolidate its charity databases with the account details you provide to the NeuroLifeNow App. The B&SF’s Privacy Policy concerning its ordinary work as a charity can be found at https://www.brainandspine.org.uk/privacy-policy-and-cookies/.

 

Neuro Life Now

The NeuroLifeNow App, and the wider We Are Neuro programme (see below), are the products of a collaboration between the B&SF and the Neurological Alliance (registered charity 1039034), with the technical NLN App platform development and support completed by KPMG and their partners (acting as a processor for the B&SF). The B&SF are the beneficial owners of, and the data controller for, the App and the programme itself.

The wider programme comprises the NeuroLifeNow App as the foundation step, and initial means, to grow a representative community, called ‘We Are Neuro’, made up of people affected by neurological conditions. The aim of the programme is to capture the experiences of people affected by neurological conditions in a meaningful way, to empower that community and the people with it, to influence and inform key decision-makers at local and national levels that affect their care, support, and thus their wider lives.

‘We’, ‘us’, ‘our’ etc.

In our policies, ‘we’, ‘us’ and ‘our’ refers to the B&SF and NLN, which is administered by the B&SF. In this Privacy Policy, “NLN” refers to the programme of work encompassing NLN itself, and ‘We Are Neuro’. All these programmes and/or entities are wholly owned and controlled by the B&SF and all staff are B&SF employees.

 

2.0 The status of this Privacy Policy

When you use the NeuroLifeNow App, or our websites, social media pages, services or otherwise provide your information to us (including by phone or email), we will collect and use your information in the way(s) set out in this policy. If you do not agree with this policy, please do not use the NeuroLifeNow App or our other sites, social media pages or services.

We may make changes to this policy from time to time. If we do so, we will post the changes on this page and they will apply from the time we post them. Any substantial changes affecting how we use or share your data will be notified to you.

 

3.0 An overview of this Policy

When you use the NeuroLifeNow App, or our websites, social media pages, services or otherwise provide your information to us (including by phone or email), we will collect and use your information in the way(s) set out in this policy. If you do not agree with this policy, please do not use the NeuroLifeNow App or our other sites, social media pages or services.

We may make changes to this policy from time to time. If we do so, we will post the changes on this page and they will apply from the time we post them. Any substantial changes affecting how we use or share your data will be notified to you.

It’s important that you read our policy in full but to help guide you if you don’t have time right now, here is a quick summary:

What is personal data?

• Personal data is information that can be used to help identify an individual, such as name, address, phone number or email address. Some categories of data are more sensitive and are referred to as special category data, including health information and ethnicity.

Your use of the NeuroLifeNow App

• When we collect personal dataWe collect personal data, including special category personal data, about you when you use the NeuroLifeNow App or otherwise interact with us. It is necessary for us to understand your basic diagnosis, and certain other characteristics such as age and ethnicity, for us to understand and engage with you effectively.
• When we use pseudonymised dataWe also collect and process data from which you may not be identified, except as set out in this policy: statistical and analytical data concerning your use of the App, and also aggregated and/or pseudonymised data in the form of your answers to in-App questionnaires, or questions you ask in the App. Although our systems retain the ability to link this data back to you, should there be a legal reason to so, our system users do not routinely see or have access to this data by reference to any individual.
• What we share anonymouslyIf you have signed up to be part of the NLN community, the data you provide will be pooled and shared anonymously with other NLN users, clinicians and researchers for research purposes until you instruct us not to. This will be in the form of aggregated data and/or unattributed contributions you have made to our community, such via questionnaires. This information is shared by reference to certain of your personal characteristics (including approximate age, ethnicity, and location) but not by reference to personal identifiers.
• Helping us build and engage with our communityYour NeuroLifeNow App personal account information (namely, the information you provide when you register for the App) will in due course be consolidated with the B&SF’s existing supporter database. We shall do so transparently, securely and only for the purposes set out in this Privacy Policy, in accordance with your preferences. This account information would necessarily include both contact details and key personal characteristics relevant to your diagnosis that you provide when registering for the NeuroLifeNow App, but will not affect the protections described above for aggregated and unattributable data.

Your wider interactions with B&SF (where applicable)

• As the B&SF, and outside of the NeuroLifeNow App, we collect information about the people we support, our supporters, funders, volunteers, and the researchers who have expressed an interest in our funding and employees. We only collect the information that we need or that helps us to provide the best possible service and fulfil our charitable aims and objectives. This is set out in more detail in the B&SF’s Privacy Policy at https://www.brainandspine.org.uk/privacy-policy-and-cookies/.
• In summary however, we collect information to provide services or goods, to provide information, to develop NLN, to fundraise for our work, for administration, research, profiling and analysis to better understand our service users and supporters (see further Section 9.0 below), as well as for legal reasons (for example in connection with legal claims or insurance or preventing or detecting crime or unlawful activity).

How we protect your data

• We do our utmost to keep personal information secure, including authentication and encryption technology on all our websites and applications, and anonymising data where possible and encrypting data in storage.
• We do not share your personal data with other companies or charities for their marketing or commercial purposes.
• We only share personal data in limited lawful circumstances, such as:
  • under a strict contract required by data protection law, where trusted partners and carefully selected suppliers need to process data securely on our behalf to do work for us (for example, KPMG, who operate the NeuroLifeNow App platform; or a mailing house who send out our newsletter, where you have agreed to receive this); or
  • where we are required by law, including to prevent abuse, crime or fraud, or with courts or other authorities.

We also share aggregated and unattributable data for research and analytics purposes as described elsewhere in this policy.

• Our websites use cookies so we can give you a personalised website experience.
• We will use your contact details to contact you for necessary reasons, or otherwise in accordance with your preferences (including fundraising and/or marketing where applicable). Where you have provided marketing preferences, you can change these at any time by contacting our Central Operations team – [email protected].

 

4.0 The Information we collect

We collect information when you interact with us for the core purposes of our organisation and NLN, namely to build a world where people living with neurological conditions have the best possible standards of care and experience the best quality of life.

As the B&SF we collect four broad types of information:

1. Technical information such as IP addresses (the location of the computer on the internet), device identifiers, pages accessed, and files downloaded. This helps us to understand how many people use our apps and websites, how many people visit on a regular basis and how popular/useful our web pages are. This information doesn’t tell us anything further about who you are.
2. We will ask for personal information to provide you with the services requested (including managing your NeuroLifeNow App account); inform decision making that helps us meet our core aims and goals (for example identifying underrepresented demographics); send you information about our service; or to raise awareness of our work.
3. We may ask you for sensitive personal information or special category data, about your health or living situation: for example, if you are living with a brain tumour and tumour type. We do this so we can provide you with relevant information, to support you or and ensure we can understand your experiences. We do so in the course of our legitimate activities as a not-for-profit organisation, as permitted by data protection law, but do not share such information with third parties except as agreed to by you.
4. We may also collect sensitive or special category data if you make the information public, or to use with your consent for a particular purpose (for example, if you agree to share your story with us).

 

5.0 Under 16s

We are committed to protecting the privacy of the young people that engage with us. If you are under 16 and would like to get involved, please ensure you have consent from a parent or guardian before you provide your personal information to us. We do not send any marketing communications direct to children under 16.

 

6.0 How we collect information about you

Information you give to us directly when you:

• Sign up to take part in NLN, including via the NeuroLifeNow App and when you participate in questionnaires.
• Request information from our Support team.
• Contact our Information and Support Team, when you may choose to provide details, including details of a personal nature, in particular about you or someone else’s health.
• Interact with us outside of the App, such as via our website or one of our closed Facebook support groups, or otherwise communicate with us on social media.
• Choose to share your story and experiences with us, for example as a case study.
• Sign up to our e-newsletter.
• When you visit our websites, we collect technical information such as the IP address you use to visit the website, your browser type and version and your browsing history
• Contact us or become involved with us in any other way not listed above.

Please note the NeuroLifeNow App will not ask you for your credit or debit card details at any stage.

 

7.0 How we use your data and the legal basis for processing

The law requires us to set out the lawful grounds on which we collect and process your personal information as described in this policy. Depending on the purposes for which we use your data, one or more of the grounds listed below may be relevant.

Legitimate interest
In certain instances, we collect and use your personal information relying on the legitimate interest legal basis. In broad terms, our ‘legitimate interests’ means our interest in being able to run The Brain & Spine Foundation (and associated projects like NLN) effectively in pursuit of our aims and ideals as a charitable entity. This includes fundraising and marketing uses of personal data, including direct marketing and research (as set out in Section 9.0 of this policy), as well as broader engagement with our community.

However, ‘legitimate interests’ can also include your interests, those of third parties, or those of society as a whole, where our services support these interests. If we rely on the ‘legitimate interests’ basis to use your personal information, we will only use the information in accordance with the purposes described in this policy, or purposes otherwise notified to you.

When we process your personal information in this way, we also consider and balance any potential benefits and impact on you with your rights under data protection laws. We will not use your personal information for activities under legitimate interests where our interests are overridden by the impact on you, for example where collection and use of your information would be excessively intrusive (although other grounds may apply, such as a legal obligation).

Legal Obligation
We may need to collect, process and disclose personal information to comply with a legal obligation. For example, where we are ordered by a court or regulatory authority or we are legally required to hold donor transaction details for Gift Aid or accounting/tax purposes. We may also use personal information to cross check and prevent known malicious activities on The Brain & Spine Foundation’s websites.

Consent
In certain instances, we will rely on obtaining your consent to our use of your personal information in a certain way: for example, asking for your consent to use your personal information to send you marketing information by email; or when from time to time you choose to share specific sensitive personal information (special category data) with us via the NeuroLifeNow App or NLN website for particular purposes on an informed consent basis.

 

Special category data

Additionally, we may need to process your special category or sensitive personal data within the meaning of data protection law: for example, your ethnicity or details of your neurological condition. We will do this for one of the following reasons:

 

• where you have explicitly consented to the use, for example when choosing to contribute data for a specific purpose via a questionnaire or FAQ on the App;
• where you have manifestly made the information public; or
• where we process the information only within our organisation in the course of our legitimate activities in connection with our core aims as a not-for-profit organisation with a focus in the area of brain and spine conditions, with appropriate safeguards. This legal condition enables us to operate effectively with members, beneficiaries and donors who may typically have such special category characteristics, including within the functionality of the NeuroLifeNow App.

Data protection law does not restrict our ability to share aggregated and/or anonymised data, including where related to health or ethnicity, where you cannot be identified. See below.

 

8.0 How we use and share anonymous and/or aggregated research data.

When you provide certain information to NLN via the NLN website or NeuroLifeNow App, including answers to questionnaires and FAQs, our NLN system users (being the B&SF and the Neurological Alliance) can view and extract it in what is known as a “pseudonymised” form.

This means that we are not able to see or extract the data by reference to you as an identifiable individual, although the B&SF as data controller do have the technical ability (through KPMG, its NLN platform service providers) to link this information back to a registered individual account holder, should that be necessary for a legal purpose: for example, a legal claim, complaint, court order, or in some cases where you exercise a data protection right (e.g. to access, understand, amend or erase or the data we hold).

Where you withdraw consent to our processing this data, or ask for it to be erased, we will be able to de-link the aggregated and anonymised data permanently from your personal details (except where we are otherwise required by law). However, we will continue to process the data in aggregated and anonymous form for research and statistical purposes as permitted by data protection law. We will also share and continue to share such data:

• with other NLN users in an aggregated, anonymous format such as graphs and infographics;
• with clinicians, analysts, researchers, and key decisions makers in an anonymous format in order to find a cure quicker or improve standards of care and support; and
• with the Neurological Alliance, who have access to such data directly from the NLN system.

We also use such analytical and statistical data to help improve our services and NLN itself.

 

9.0 Understanding our supporters and working more effectively.

We are committed to providing everyone who gets in touch with us with the very best experience, providing you with timely and relevant communications and using our resources effectively.

To do this, we use profiling techniques to provide us with general information about you, which include geographic, demographic or other information relating to you to better understand your interests, condition and preferences. This information is compiled by our employees, volunteers or occasionally a third-party insights company, using publicly available data in combination with information that you have already provided to us.

This does not currently apply to your account data submitted via the NeuroLifeNow App. However, the B&SF intends to consolidate the NeuroLifeNow App database with its existing databases, which will mean using your NeuroLifeNow App account data for this purpose. We will never use or re-identify any pseudonymised and/or aggregated research data for the purposes of such individual profiling.

Publicly available information may come from places such as Companies House, the Charity Commission, LinkedIn, listed Directorships, typical earnings in each area or published in the media. This allows us to understand the background of the people who support us and helps us to make the right requests. Importantly, it helps us to raise more funds, sooner, and more cost-effectively, than we otherwise would.

 

10.0 Safeguarding

Safeguarding is everyone’s responsibility, and therefore we have a duty, wherever possible, to share any concerns (including with names and contact details where necessary, and with or without notice or reference to you) that we have about conversations emails, posts, messages, replies, questions, or comments that indicate you or someone else might be at risk, with the relevant services. This includes reference to or indication of abuse or neglect. However, to be clear, we do not specifically monitor the NeuroLifeNow App for such concerns or disclosures and the NeuroLifeNow App is not the appropriate forum to raise such concerns, which should properly be referred directly to the relevant local authorities or emergency services.

Though we will always look to notify our concerns and/or decisions affecting individuals, we reserve the right to share information with external agencies without checking first with you; especially if it is thought that by sharing our concerns with an individual this might put others at, or increase the risks identified, or interfere with police process, and/or where we are under a legal reporting obligation.

 

11.0 Communicating with you

Using the NeuroLifeNow App

We will use the contact details provided via the NeuroLifeNow App for authentication and necessary service messages (including the posting of new questionnaires) via your email address provided.

Other communication preferences with us

When you sign up to our eNewsletter mailing list, we will send you direct mail, which will include updates on our work, as well as any other messages you have agreed to receive.

We will only send you marketing communications by email if you have consented to receive these. You can unsubscribe at any time by clicking on the unsubscribe link in our marketing emails. Our mass email service allows us to track who has opened our e-newsletter and what links have been clicked on. This allows us to monitor what information is most useful to improve our content and information in future.

Where your preferences permit us to, we will also contact you by post or telephone about fundraising, campaigning, events, and trading using the contact details provided, where this is in our legitimate interests. We will do so as necessary in connection with the B&SF’s legitimate interests as a charity, and as such are not are not doing so relying on your consent. However, you have the option to opt-out of receiving marketing communications at any time by contacting our Central Operations team by writing to us at our Head Office address, emailing or calling us.

If you have indicated you do not wish to be contacted by us for marketing purposes, we will retain your details on a ‘do not contact’ list to help ensure that your preferences are respected. However, we may still need to contact you if you carry on dealing with us, including (but not limited to) service messages connected to the NeuroLifeNow App, or in connection with possible complaints or claims.

 

12.0 Storing your data

When you give us your details, you agree to us recording your details on our secure database, so we can provide you with the best possible service every time you contact us.

We hold your personal information for as long as required to provide you with the information or services you have requested, to administer your relationship with us, to inform our research, to inform our supporters’ preferences, to comply with the law or to ensure we do not communicate with people who no longer wish to hear from us.

We have developed a data retention policy that sets out the different periods we retain personal information for in respect of these relevant purposes. The criteria we use for determining these retention periods are based on various legal requirements on us a charity; the purpose for which we hold data, and whether there is a legitimate reason for continuing to store it (such as in order to deal with any future legal disputes); and guidance issued by relevant regulatory authorities including, but not limited to, the Information Commissioner’s Office (ICO) and Charity Commission.

Personal information that we no longer need is securely disposed of and/or anonymised so you can no longer be identified from it. Some personal information may be retained by us in archives for statistical or historical research purposes although we will do this in a manner that complies with applicable data protection law.

We continually review what personal information and records that we hold and delete what is no longer required. We never store payment card data after the transaction has been completed.

 

13.0 Third party supplier hosting

The NLN platform is provided by KMPG who act as data processor for B&SF.

B&SF digital files (for example, data extracted from the NeuroLifeNow App) are stored on a file server hosted by FLR (the charity’s IT support providers) at a data centre in the UK. Access to this data centre is restricted.

B&SF (including NLN) holds its data on secure databases which is hosted in the UK, with the exception to those stated below. Access to all systems is limited and there is restricted access to data based on a person’s role in the organisation.

Our third-party suppliers store data in the UK, with the following exceptions of MailChimp, who we use for the sending of out eNewsletter who store information in the USA. Where we engage with organisations outside of the UK and European Economic Area, we will ensure that the processing of your data is subject to appropriate security measures and suitable lawful mechanisms to protect your data.

All paper records are stored on premises at our offices. These offices are securely locked when no members of staff are present, and access is restricted and monitored during the working day.

In line with the principles defined in data protection law, B&SF will ensure that personal data will be processed in ways that are:

• Lawful, fair and transparent
• Collected for specific explicit and legitimate purposes
• Adequate, relevant and limited
• Accurate and up to date
• Not kept for longer than necessary
• Secure

Your details will be kept securely and only shared with trusted suppliers, who have a contract with us, who enable us to deliver our charitable objectives, for example, distribution of our newsletter or if required to by law, i.e. with the police or a regulatory body. At all times we remain legally responsible for your data. We never share your data with any third parties for their own marketing or commercial purposes, including charities.

 

14.0 Use of Cookies and other on-line technology

The Brain & Spine Foundation may use cookies, web beacons, tracking pixels and other tracking technologies when visiting our websites, including any other media form, media channel, mobile website or mobile application related or connected thereto (collectively, the “site”) to help customise the site and improve your experience.

 

15.0 Your rights

Under data protection law, you have rights over personal information that we hold about you. These are summarised below.

• Right to be informed

  You have the right to be told how your personal information will be used. This policy and other disclaimers, policies and statements used on our website, in the NeuroLifeNow App and in our communications are intended to provide you with a clear and transparent description of how your personal information may be used.

• Right to access your personal information

  You have a right to access certain personal data being kept about them, either physically or digitally. Anyone who wishes to exercise this right should apply, in writing, to the Data Protection Officer at B&SF. Please include details of the information you wish to access. The B&SF will respond within one calendar month, providing that the request includes appropriate contact details, proof of identity from the individual and we can validate the request. We may need to confirm these details with you or seek further clarification of your request before we can process it.

• Right to have your inaccurate personal information corrected.

  You have the right to have inaccurate or incomplete information we hold about you corrected. If you believe the information, we hold about you is inaccurate or incomplete, please provide us with details and we will investigate and, where applicable, correct any inaccuracies.

• Right to restrict use of your personal information

  You have a right to ask us to restrict the processing of some or all of your personal information in the following situations: if some information we hold on you isn’t right; we’re not lawfully allowed to use it; you need us to retain your information in order for you to establish, exercise or defend a legal claim; or you believe your privacy rights outweigh our legitimate interests to use your information for a particular purpose and you have objected to us doing so.

• Right to erasure of your personal information

  You may ask us to delete some or all of your personal information and in certain cases, but please be aware that the right is subject to certain exceptions (i.e. if we have to hold on to it to meet a legal obligation) and is only applicable in certain specific scenarios (such as where you have withdrawn a consent that we were relying on, or where we no longer have a relevant lawful purpose for which the data is necessary).

• Right for your personal information to be portable

  If we are processing your personal information (1) based on your consent, or in order to enter into or carry out a contract with you, and (2) the processing is being done by automated means, you may ask us to provide it to you or another service provider in a machine-readable format.

• Right to object to the use of your personal information

  If we are processing your personal information based on our legitimate interests or for scientific/ historical research or statistics, you have a right to object to our use of your information. If we are processing your personal information for direct marketing purposes, and you wish to object, we will stop processing your information for these purposes as soon as reasonably possible.

• Right to withdraw you consent

  Where you have consented to our use of your data, including but not limited to direct marketing, you may withdraw it at any time by emailing [email protected].

Please note that if you do withdraw any consent granted in respect of medical or ethnicity information provided to the B&SF/NLN (for example via a questionnaire or FAQ), this means your personally identifiable data will be removed from our underlying records. That means we will no longer be able to re-identify the data and thereby attribute your submissions or health data to any personally identifying details we hold for you. However, to ensure the integrity of our research findings and the power of the communities shared experiences, any collated research and statistical data relating to your experiences will be anonymously retained in an aggregated form by us or by others we authorise.

If you want to exercise any of the above rights, please contact our team at the B&SF. We may be required to ask for further information and/or evidence of identity. We will endeavour to respond fully to all requests within one calendar month of receipt of your request, however if we are unable to do so we will contact you with reasons for the delay.

Please note that exceptions apply to a number of these rights, and not all rights will be absolute or applicable in all circumstances. For more details we recommend you consult the guidance published by the Information Commissioner’s Office in their ‘Your Data Matters’ guidance for individuals.

Where you make a request in respect of data that has been de-identified

Where you ask us to re-identify personal data that we have pseudonymised for the purposes of access or some other right, and to the extent we are able to do so without prejudicing a research purpose, this will require our personnel to process such data on a personally identifiable basis in order to fulfil your request.

We reserve the right to refuse, or charge reasonable fees to fulfil, requests which are manifestly excessive, unfounded, or subject to a research or statistical use exemption; or where we can demonstrate that we are not in a position to identify you in relation to the data requested. In particular, if we no longer require you to be identified for the purposes of how we process your data, we are not obliged by data protection law to maintain the means to re-identify you for the purposes of your exercising a right under data protection law.

 

16.0 Keeping your information up to date

Where possible we use publicly available sources to keep your records up to date, for example, the Post Office’s National Change of Address database and the National Bereavement Register. However, we really appreciate it if you let us know if your contact details, preferences or circumstances change. Just contact our team at the B&SF and we will update our records.

 

17.0 How to change the way we contact you

Your personal preferences and keeping your data accurate are of utmost importance to us.

If at any stage you do not want to hear from us, want to change your contact preferences or want to update your details, you can email or call us.

You can also now register your details with the Fundraising Preference Service if you want to tell us through the Fundraising Regulator that you would prefer us not to contact you.

Any marketing email we send you will contain information about how to unsubscribe from email marketing communications. During any phone, email, or conversation you have with us, please feel free to let us know how you prefer to be contacted.

 

18.0 What to do if you have any concerns

If you are unhappy at any time about the way we process and/or use your personal information, please contact the B&SF’s data protection team via [email protected] who will investigate your concerns.

We appreciate the opportunity your feedback gives us to learn and improve. If you are unhappy with the way your data, (or that of a child or adult that you have legal guardianship or care of) are being processed, and we have been unable to satisfactorily resolve your concern, you have the right to complain to the Information Commissioner’s Office (ICO): www.ico.org.uk.