At the Mental Health Foundation we understand that the privacy and security of your personal information is an important issue to you and we are committed to protecting it. We aim to be completely transparent on how we collect, process and store your personal information.
The processing of your information is carried out by or on behalf of The Mental Health Foundation (who is the ‘controller’ of the personal information collected as set out below). The Mental Health Foundation is a company limited by guarantee in England (No. 2350846) and a charity registered in England and Wales (No. 801130) and in Scotland (SC039714).
Please take the time to read this policy carefully. If you have any questions about this it or would like to update your communication preferences, please contact us using any of the methods below:
Phone: 02921 679400
Postal Address: Workbench, 16, Neptune Ct, Cardiff CF24 5PJ
- How do we obtain your personal information?
- Directly from you: we collect personal information when you communicate with us using any media or in person. You may give us information to sign up for one of our events, ask about our activities, make a donation to us, purchase our publications or fundraise on our behalf.
- From other organisations or sources: your information may be shared with us by independent event organizers, for example the London Marathon or fundraising sites like Just Giving or Virgin Money Giving. These independent third parties will only do so when they have told you your personal information will be shared and, generally, when you have indicated that you wish to support the Mental Health Foundation. You should check these organisations’ privacy policies when you provide your personal information to understand how they will use and share it. Your personal information may also be given to us indirectly by you when it is shared with us by third parties acting on our behalf, for example sub-contractors in technical, payment and delivery services. To the extent we have not done so already, we will notify you when we receive personal information about you from them and tell you how and why we intend to use that personal information.
iii. When information is publicly available: we may collect and combine information that is publicly available with information we already hold to better understand our supporters and improve our work. This may include:
- a. Information publicly available on social media platforms like Facebook (please see below for the Facebook’s ‘Custom Audience’ programme), Twitter or Instagram: we may collect personal information when you have used social media platforms to contact us. Please check your privacy settings or their privacy policies as you might have given us permission to access information from those accounts.
- b. Information publicly available on newspapers, articles or other websites such as Companies House and Land Registry.
- c. Information publicly available when researching/ analysis supporters as explained in section 3 below.
- When you visit our website: we automatically collect technical information from your computer or device such as IP address, and via cookies and similar technologies.
We may combine your personal information from one or more of these sources for the purposes set out in this policy.
- What personal information we collect
We may collect, store and use the following kinds of personal information:
- Identity data, including your name, username, date of birth (for example, if you make a donation, volunteer, or sign up for an event).
- Contact data, including your email address, postal address, and phone number (for example, if you sign up to receive updates from us).
- Financial data, including bank or payment card details (for example, if you make a donation).
- Transaction data, including details of your giving.
- Technical data such as your IP address, when you browse our website.
- Marketing data such as your preferences for receiving communications from us.
- Media data such as photographs, video and audio recordings.
- Any other information you provide us as above (see How we obtain your personal information)
- How we use your personal information
As a charity we rely on a variety of methods to keep our supporters engaged and informed about our work. We may use data collected for different purposes. Mental Health Foundation processes your personal data for the following purposes:
- to keep you informed and obtain your views of our activities;
- to provide you with information about services available to you through Mental Health Foundation, and third parties connected with us either as directed communications or newsletters;
- to process your payments/ donations and keep our records updated (including to claim Gift Aid on your donations);
- to process and respond to requests, enquiries and complaints received from you or about you;
- to provide services or information requested by you and any related communications;
- to recommend products and services that we believe will be of interest to you;
- to analyse trends and profiles in order to better understand our performance, improve our services and better meet the needs of our supporters, or to report on the results and impact of our work;
- to administer our website;
- to process employment applications;
- to transfer to service suppliers who undertake processing on our behalf, at our direction or otherwise to transfer any personal information to any other regulator or government body as required;
- for legal obligations (including those arising under contracts) and regulatory compliance;
- for audit purposes and to administer our accounts;
- to detect or prevent fraud, misuse of services or money laundering;
- the enforcement of legal claims;
- for any other purposes which we will notify you about.
The Foundation may analyse your personal information to create a profile about you, your interests and preferences; including identification of, and subsequent research into, prospective donors. This is to gain a better understanding of our supporters and identify prospective supporters.
This analysis, which may include identifying indicators of wealth and analysis of our database in future, will inform our fundraising strategy, helping us to provide you with relevant and effective communications and strengthening the donor-charity relationship with our supporters in the most efficient way possible. As a charity, this helps the Foundation make best use of its charitable funds in order to maximise the public benefit it is able to deliver.
In doing this, we may combine information that you have given us with other information about you when it is available (for example, from public records or social media). We may use third party suppliers to undertake these activities on our behalf and share your data with them only to the extent required.
You can opt out of your personal information being used in this way by contacting us.
- Sensitive personal information
Data privacy law identifies certain categories of personal information as sensitive and therefore requiring more protection, for example information about your health. In limited cases, we may collect and/or use your sensitive personal information (also known as special category data). Normally we will only do so where we have your explicit consent, but there may be other circumstances permitted under data privacy law.
For example, we may record that a person is in a vulnerable circumstance in order to comply with requirements under charity law and fundraising regulation to ensure that we do not send fundraising communications to them.
PLEASE BE AWARE THAT if you send the Foundation unsolicited sensitive personal information, including requests for mental health related support and information, you do so at your own choice, as we do not have the expertise to provide specialist support in this area. See how we will share your information below.
- Our legal bases for collecting and using your personal information
In order to lawfully collect, hold and use your personal information, we must rely on one or more of six grounds set out in data privacy law. We consider the following to be relevant to our use:
- Where you have given consent (for example, to send you promotional or fundraising material by email, and we may ask for your explicit consent to collect certain types of sensitive information).
- Where it is necessary to comply with a legal obligation (for example, sharing with HMRC to process Gift Aid).
iii. Where it is necessary for the performance of a contract with you or take steps at your request prior to entering into a contract (for example if you order one of our publications).
- Where it is necessary to protect someone’s vital interests. Whilst we are not able to advise people directly on their personal circumstances, and do not provide a helpline service, as a mental health charity we may from time to time receive enquires from individuals in distress. We may refer these enquiries on to those better equipped to assist if we feel yours or another’s vital interests are at risk.
- Where there is a ‘legitimate interest’ in us doing so.
The law allows us to collect and use personal information if it is reasonably necessary to achieve our or others’ legitimate interests (as long as to do so it is fair, balanced and does not unduly impact on your rights). In general, our legitimate interests are the running of a charitable entity and pursuing our mission and vision. This may include charity governance, administration and operational management, and fundraising and campaigning (including sending marketing by post, and analysis in order to develop effective communication and fundraising strategies). When we rely in this lawful basis, we consider and balance any potential impact on you (positive and negative) and on your privacy rights.
- How long we keep your information
Whatever your relationship with us, we only keep your personal information as long as necessary to fulfil the purposes we hold it for, including satisfying any legal, accounting or reporting requirements. Usually this will be for a specified amount of time in accordance with our internal retention policy.
That length of time may vary depending on the reasons for which we are processing the personal information and whether we have a legal (for example under financial regulations) or contractual obligation to keep it for a certain amount of time.
Once the retention period has expired, personal information will be confidentially disposed of or permanently deleted.
If you object to further contact from us, we will keep some basic information about you on a ‘suppression list’ in order to comply with your request in the future.
At the Mental Health Foundation we undertake proportionate and appropriate measures to ensure security and confidentiality of your personal information. We make sure that your personal information is only accessible by trained staff, volunteers and contractors. Access to sensitive personal information will be restricted to only those individuals that need this data in order to carry out their functions. We also use password protections. These are examples – we ensure appropriate measures are in place proportionate to the risk involved.
Our site is protected by HTTPS, meaning that any personal information that you transfer to us via our website is encrypted and is stored as securely as possible. The transmission of information via the internet is never completely secure, and we cannot guarantee the security of personal information transmitted via the internet.
In general, the personal information that we collect is stored at a destination within the UK or European Economic Area (EEA). However, your personal information may sometimes be transferred or stored outside the EEA.
Some countries outside the EEA have lower standards of protection for personal information. In these cases we will take all steps reasonably necessary to ensure that the recipient implements appropriate safeguards to protect your personal information (for example, by entering into a contract approved by the European Commission).
- Links to other websites
Our website includes links to other websites which you may find useful. This policy does not cover their privacy practices and we are not responsible for the content of other sites or their privacy policies and practices. We encourage you to read the privacy policies of any external sites you visit via links on our websites.
- Communicating with you
Marketing and fundraising communications
We may use your contact details to provide you with information about our work (including our campaigns), events, services and/or activities which we consider may be of interest to you.
Where we do this via email, SMS or telephone (where you are registered with the Telephone Preference Service), we will not do so without your prior consent (unless allowed to do so via applicable law).
Where you do not wish to be contacted by us about our work, events, services and/or activities in the future, please let us know by email at email@example.com. You can opt out of receiving emails from the Mental Health Foundation at any time by clicking the “unsubscribe” link at the bottom of our emails.
Social media/ digital
Depending on your settings or the privacy policies for social media sites like Facebook and Twitter you may receive targeted advertisements about the Mental Health Foundation through our use of social media audience tools.
We may participate in Facebook’s ‘Custom Audience’ programme, which enables us to display adverts to our existing supporters, or people with similar interests, when you provide your email address, mobile number and address, to Facebook so they can determine whether you are a registered account holder with them (or so they can create a ‘lookalike’ audience). Our adverts may then appear when you access Facebook. Your details are sent in an encrypted format that is deleted by Facebook if it does not match with a Facebook account. For more information about this, please see Facebook’s relevant guidance and policies.
We will also communicate with you for other purposes using the contact details you have provided. For example, to process a donation or, if you have signed up to participate in an event, to check that fundraising pages have been set up and to provide any other necessary information.
Please be aware we may still need to contact you for administrative purposes even where you have opted-out of receiving marketing from us.
- Will we share your personal information
We may share your personal information to third parties in order to achieve the purpose set out in this notice, including suppliers and sub-contractors (for example website hosts or cloud storage providers).
Where we share with these third parties we will have appropriate agreements or protocols in place to ensure that your personal information is safeguarded.
As explained above, we are not equipped to deal with requests for mental health support. We may share your personal information with appropriate third parties such as Samaritans or Mind when we consider it necessary to protect vital interests. See their respective privacy policies here – https://www.mind.org.uk/legal-info/privacy-policy/ and https://www.samaritans.org/privacy-statement.
We may also need to disclose your personal information where legally required or when asked by regulatory bodies (such as HMRC) or law enforcement agencies. We may also merge or partner with other organisations and in doing so acquire or transfer personal information, but if this were the case your personal information would continue to be used for the purposes set out in this policy.
- Your rights
Where we rely on your consent to use your personal information, you can withdraw that consent at any time. This includes the right to ask us to stop using your personal information for marketing purposes (change your communication preferences at any time by contacting us). You also have the following rights:
- Right of access – You can request access to personal information we hold about you. Provided we are satisfied that you are entitled to a copy and we have confirmed your identity, we will provide the information subject to any applicable exemptions. If you wish to make the request, please cysylltwch â ni.
- Right of rectification – You have the right to request that we correct inaccurate personal information concerning you. You can ask us to check if you are unsure.
- Right of erasure – In some circumstances you may request we delete your personal information. Note that in many cases we will need to keep limited personal information about you in order to ensure we don’t send you further communications (This is sometimes call the ‘right to be forgotten’).
- Right to restrict processing – You may ask for our use of your personal information to be restricted if there is disagreement about its accuracy or legitimate usage.
- Right to object – You can ask us not to use your personal information for direct marketing purposes (cash appeals, raffles and fundraising campaigns), or where we are using it on the basis of our legitimate interests or for research or statistical purposes. You may opt-out from email marketing by clicking the ‘unsubscribe’ link in our emails or contact us if you wish to no longer receive marketing communication in the post.
- Right to data portability – Where we are processing your personal information by ‘automated means’ and either (i) because we have your consent or (ii) because it is necessary for a contract with you, you may ask us to provide your personal information to you or another service provider in a machine-readable format.
- Rights related to automated decision-making – You have certain rights in relation to decisions made solely on the basis of automated processing of your personal information that has legal or similar effects on you (e.g. automated credit checks).
We may ask you for additional information to confirm your identity before disclosing personal information to you.
Please note that these rights may only apply in limited circumstances. For more detailed information, we suggest you consult guidance from the Information Commissioner’s Office (ICO) or cysylltwch â ni.
- Changes to this policy
We may need to update this policy from time to time, including to reflect changes in the relevant law or in the way we collect, process and store your data. We will notify you when significant changes will be made to this policy.
- Text to donate
By texting FIVER to 70300, you agree to donate £5. By texting THRIVE to 70300, you agree to donate £3. By texting ESTEEM to 70300, you agree to give £3 per month. Texts are charged at your standard network rate. By texting this number you consent to us keeping you up to date on how you can donate to us, and how you can get involved in our activities including fundraising, unless you tell us otherwise by emailing firstname.lastname@example.org.
- Contact details and complaints
If you have any queries relating to this policy, please contact us either by email at email@example.com or by writing to us at Mental Health Foundation, Workbench, 16, Neptune Ct, Cardiff CF24 5PJ.
You are entitled to make a complaint to the ICO at any time. We are always grateful for the opportunity to resolve your concerns before you feel it is necessary to approach the ICO.