Privacy and Data Protection Statement
Who are we?
Sparks Charity (Sparks) raises money to fund pioneering child health research across the UK, helping to find new treatments and cures for children and families who desperately need them.
Sparks is a subsidiary of Great Ormond Street Hospital Children’s Charity (GOSH Charity) and part of the GOSH Charity Family. Sparks is a registered charity in England and Wales (registered charity number 1003825) and Scotland (registered charity number SC039482) and is also registered as a company limited by guarantee (company number 2634037).
GOSH Charity raises money to enable the hospital to provide world class care to children and to pioneer new treatments and cures for childhood illnesses. The support the Charity provides to Great Ormond Street Children’s Hospital is concentrated in four main areas namely, redevelopment, research, medical equipment and accommodation and patient/patient family support.
GOSH Charity is a registered charity in England and Wales (registered charity number 1160024) and we are also registered as a company limited by guarantee (company number 09338724). We use a wholly owned subsidiary company, Great Ormond Street International Promotions Limited (company number in England and Wales number 02265303) to record our activity classed as trading, for example the selling of GOSH Charity branded clothes and gifts.
Unless otherwise stated, within the context of this policy, the terms “we” and “the Charity” means GOSH Charity, Sparks and our trading subsidiary.
Basis for processing personal information
The charity uses any one of the following lawful basis for processing your personal information:
a) You have consented to us processing your data; or
b) There is a contractual relationship with you; or
c) We are legally obliged to process your data; or
d) We believe it’s in the legitimate interest of either you as the data subject, or us as the Charity, to process your data. Legitimate interest can be used where there is a reasonable purpose to process an individual’s data. For more information on legitimate interest, please see the ICO’s website or contact us.
e) We believe it is in the public interest to process your data and this interest is supported by a clear law e.g. safeguarding.
It’s important that the personal information the charity obtains is held, used, transferred and otherwise processed in accordance with the legislation.
The law sets out a couple of additional grounds over and above those listed above, however the charity is only using the grounds detailed above. In the future, if the grounds for processing change, the notice will be updated to reflect this. For more information about how the policy is changed please click here.
The charity gets its authority to process your personal information from the legal requirements set out in the following legislation (laws):
• Data Protection Act 2018;
• General Data Protection Regulation; and
• Privacy and Electronic Communications Regulations
Your personal information is processed and stored in accordance with the legal requirements in the corresponding laws.
Information processed by the Charity
Personal information is information that can be used to identify you.
You can find examples of personal information in the four categories below.
Category 1: identification information
date of birth
Category 2: personal life information
family and friend connections, such as parents and siblings
type of organisation you work at
activities by the charity that you may be interested in
Category 3: economic and financial information
bank account details
credit/debit card details
whether you are a UK tax payer so that we can claim Gift Aid (we don't collect information about your tax payments, only whether you are a tax payer
Category 4: connection information
Special category (or sensitive information)
Information in this category is more sensitive than in the categories above and includes:
health and medical information
The charity doesn't usually collect this type of information unless there's a clear reason for doing so. An example of when collecting this information is necessary is participating in an event where we need this information to ensure we provide you with the appropriate facilities.
The charity may also collect health information if you tell us about your experiences with the hospital.
We will make it clear when and why we are collecting this information.
How we collect personal information
We collect information about you in the following ways:
• when you enquire about our services;
• when you complete a satisfaction survey;
• when you, or someone on your behalf, makes a donation to us;
• when a relative provides your name and contact details as an emergency contact;
• when you register to participate in an event either directly with the Charity or through a third-party and have indicated that you wish to fundraise for us;
• when you agree to 3rd parties such as Royal Mail providing us with your details;
• when you engage in our social media, digital advertising or message boards;
• when you voluntarily give the Charity your personal information;
• when you order products from the GOSH Shop;
• when you apply for a charity grant for projects that will improve the healthcare and services at Great Ormond Street Children’s Hospital;
• when you apply for a research charity grant to further child health research at Great Ormond Street Children’s Hospital, the UCL Great Ormond Street Institute of Child Health and around the UK;
• when you subscribe to our charity publications or email newsletters; and
• when you read or download information from our website.
Photography and images
Sparks Charity uses photography, images and film.
The images are used in media (such as newspapers, magazines, websites or broadcast outlets), on social media, in publications, on our website, in printed or online fundraising materials, in fundraising and awareness films or by our corporate partners who help us raise money to support the Charity.
Patient Case Studies
Photography, images and film created for patient case studies is taken and used with your consent.
We will discuss with you how your, and/or your child’s, image and information is going to be used and ensure you are happy for it to be used in this way. You can ask us to stop any time and we will refresh your consent every two years.
Event Photography and Film
Where an event is organised by the Charity, we will ask you for consent to use any photographs taken where you are the focus of the image. Permission will be requested either prior, during or after the event.
Where the photograph does not focus on you as an individual, e.g. where you appear in the background of the photograph or as one of a number of people in a group shot, it is not normally necessary for us to ask your permission. We will ensure the terms and conditions of the event tell you if there will be photographers present.
If you do not want your photograph taken, please either tell the photographer at the time, if it is convenient to do so, or contact the Charity after the event. You can change your mind at any time, and we will refresh your consent on a regular basis.
Where the event is organised by a third-party, we will use photography from the event under our legitimate interests. We will be clear in our terms and conditions of entry if this is the case. If you do not want your photograph taken, please either tell the photographer at the time, if it is convenient to do so, or contact the Charity after the event.
At some events there may be photographers present who represent the media or the event organiser and for whom the Charity is not responsible. Please review the terms and conditions issued by the event organiser for more information and inform the event organiser of your preferences and wishes in respect of photography taken.
For more information on your rights in how GOSH Charity use photography and images please see the Your Rights section.
The reasons the Charity collects and uses information
We’ll collect and use your information for one or more of the following reasons:
1) Under the lawful basis of contractual necessity for processing, we collect and use your information as follows:
• to process your order and send you the items that you have ordered through our shop;
• for the purposes of you entering a raffle, prize draw or competition;
• to award grants for specific research programmes and monitor the impact of research funding; and
• to process direct debit donation claims.
2) Under the lawful basis of legal obligation for processing, we collect and use your information as follows:
• where the collection is required or authorised by law;
• to administer any requests where you are exercising your legal rights; and
• to assess your personal information for credit risk, age verification or fraud prevention. Charities can be targeted for illegal purposes such as money laundering and therefore we are required to monitor financial activity and report suspected fraud to the appropriate authorities.
3) Under lawful basis of consent for processing, we collect and use your information as follows:
• for your participation or expressed interest in an event, ensuring you have all the required information;
• to ask you to help the Charity by raising money on our behalf or donating money to us but always in accordance with our supporter commitment;.
• where you have made a donation in celebration of another individual and that individual, or a related person, wish to know who has given; and
• the taking and use of photography, images or film in case studies, media and press publications and marketing materials.
4) Under the lawful basis of legitimate interest for processing, we collect and use your information as follows:
• to process any donation(s) or gifts we may receive from you;
• to provide you with information about the Charity’s work or activities that you have requested;
• for internal record keeping such as to manage feedback, respond to enquiries or complaints;
• the administration, organisation and management of events where you are taking part;
• to send you marketing materials by post (unless you’ve asked us not to);
• to administer and monitor grant funding;
• to help us identify new supporters;
• to analyse and improve our services regarding:
• supporting the Hospital.to support effective and efficient record-keeping;
• for data quality and data analytics purposes;
• to use IP Addresses:
to block disruptive use;
to record website traffic; or
to personalise content based on previous visitor history.
• the use of photographs and images taken during third-party managed events;
• when a relative (e.g. a staff member, volunteer or event participant) provides your contact details as their emergency contact; and
• to invite you to participate in surveys regarding your experience with the Charity or market research.
Credit, debit card and payment
Donations to the charity can be made via credit or debit card payments, direct debit, standing order, Charity Aid Foundation (CAF) vouchers, cash and cheques.
Payments for purchases can be made online or over the phone.
We ensure that all payments or donations are carried out securely and, where applicable for payment cards (such as MasterCard and Visa payment) are processed in accordance with the Payment Card Industry Data Security Standard (“PCI DSS”).
To find out more about PCI DSS standards visit their website at pcisecuritystandards.org.
Your payment information
In addition to keeping your payment information safe during the payment process, we will:
• not store your credit or debit card details
• securely destroy all card details and validation codes once the payment or donation process is complete
• immediately delete any emails received that contain any credit or debit card details
• only allow authorised staff to process payments and access payment details
Other payment options
We also offer Mobile Wallet payment options, such as ApplePay and Google Pay, for some services. To process payments made through Mobile Wallets we use a third party called Stripe Payments Europe Ltd (Stripe).
Profiling means gathering information about individuals and analysing their characteristics and behaviour patterns to place them in a certain category to help inform the efficiency of the Charities fundraising activity or to help identify possible new supporters. It’s a procedure that involves processing personal information using a series of statistical deductions to make predictions about people which makes an inference based on the qualities of others who appear statistically similar to the individual whose personal information is being processed.
How we use profiling
We aim to ensure that our fundraising activity and marketing communications are appropriate and timely. We want to send you the most relevant information and only promote donation opportunities that we believe you are most likely to be interested in.
To do this, we may use your personal information, which at times includes previous transactions and communication history, alongside profiling techniques and insight companies to help us identify other people who may have an interest in supporting our Charity or to provide us with general information about you such as information you have volunteered about your lifestyle and purchasing habits. To assist us, we may use public registers, or third-party information services, such as Experian's Mosaic product. For more information, please see the Information Sharing section.
You can request to not have your information used in this way. For full details of the rights you have, please see below.
Website Tracking and Cookies
For all areas of our websites which collect personal information, we follow best practice for web and data security. Although we cannot 100% guarantee the security of any information you give us, we enforce strict procedures and security features to protect your information and prevent unauthorized access.
We also gather information such as pages most visited, the events or activities of most interest and products borrowed and purchased, to help improve our website and activities.
Wherever possible, we will keep this information anonymous so that it will not identify you as an individual visitor to our websites.
A cookie is a small text file that is placed on your computer or mobile device when you access our websites. This allows the website to recognise your device and store information about your preferences and actions.
Sparks use Session, Persistent and Essential Cookies which are described further below:
1) Session Cookies allow websites to link the actions of a user during a browser session. We will use session cookies for helping remember what you have accessed as you browse our website, including what you have put in your shopping basket. These cookies are deleted from your computer when you close your browser and are not stored longer term.
2) Persistent Cookies are cookies which are stored on your device in between browser sessions, allowing your preferences or actions to be remembered when you revisit the website. They remain on your computer until you delete them or they reach their expiry date. These cookies allow us to understand whether you have previously visited the website using this browser and device and help us to tailor our marketing based on your previous activity.
3) Essential Cookies are those cookies which are necessary for us to run our website. Without these, the page would not load properly. These cookies help us to keep the Charity website up and running and provide you with a good experience when you browse our website.
You can disable session and persistent cookies using your browser settings. Details of how to do this are listed below.
Browser cookie settings
If you would like to prevent cookies from being set by our website, the following links will help:
How to change your cookie settings in Firefox
How to change your cookie settings in Internet Explorer
How to change your cookie settings in Google Chrome
How to change your cookie settings in Safari (OS X)
How to change your cookie settings in Safari (iOS)
How to change your cookie settings in Android
To find out more about cookies, please visit allaboutcookies.org
A spotlight tag records access to a website as part of online advertising. Spotlight tags allow us to track, measure and report on activities that happen on our website after you see or click on an ad. These tags allow us to measure the effectiveness of our online marketing campaigns.
These files are provided to us by our ad partner, DoubleClick. For more information about DoubleClick please visit doubleclick.net
A web beacon is an invisible graphic that is placed on a website or in an email and used to monitor the behaviour of the user visiting the website or sending the email. When you open an HTML email that we have sent you, this graphic is downloaded from a web server and generates a record showing that the email was opened, how many times it was forwarded (if any) and which links within the email were clicked.
Access the MailChimp website to find out more information.
High value fundraising
To enable us to fundraise for high value giving opportunities appropriately and effectively, we will research individuals and organisations to help us identify suitable major donors, corporate partners, patrons, and committee or appeal board members.
This research helps us to identify individuals or organisations who have the capacity to make substantial donations, who appear to have an interest in supporting our cause and who may be able to help us to raise funds through volunteer support for our appeals, events or partnership opportunities.
Processing of information for high value fundraising
We use our legitimate interests to process your information for high value fundraising research.
The processing of your information in this way for high value fundraising is instrumental in enabling us to support large-scale projects and initiatives that benefit Great Ormond Street Children’s Hospital and UCL Great Ormond Street Institute of Child Health. We appreciate that you expect us to conduct such processing in an efficient and professional manner whilst taking your right to privacy into account.
We will inform you of the processing we undertake when we first contact you and then at further regular intervals throughout the lifetime of our contact with you. You can, exercise your rights at any time. If you would like any further information about how we reached our decision to use legitimate interests, please contact our Data Protection Officer.
How we undertake research
We are careful to ensure information collated is not excessive or intrusive and is sourced reliably and appropriately.
Any research is undertaken using only credible, publicly available information. This may include sources such as national and local press, Companies House, Charity Commission and from social media sites such as LinkedIn. We’ll only use these where the data has been deliberately made public. We may also use appropriate third-party sources to identify and inform professional approaches to prospective donors, partners and volunteers.
We don’t routinely collect large volumes of personal information related to your health, racial or ethnic origin, or religious or political beliefs. However, occasionally the research we undertake may include limited information which falls within this description. We recognise the sensitivities of this information and will only process and record this information if you tell us directly and agree to this processing.
Ethical screening and minimising risk
To comply with our obligations as a charity, we must also take reasonable and appropriate steps to know who our donors are, particularly where significant sums are donated.
Using charity law as a legal basis for processing, we may conduct due diligence to provide assurances that donations and support are from appropriate sources. This is to safeguard our reputation and to help us mitigate any associated risk.
We have clearly defined principles that guide how we engage in mutually beneficial relationships with companies, foundations and individuals. These principles ensure that we raise money legally, safely and transparently.
The nature and extent of due diligence research is proportionate to the fundraising opportunity. This doesn’t mean that we’ll research lots of personal details about every donor or question every donation. Any information we collect for these purposes will only consist of what is necessary for us to meet these requirements and will be processed in line with your rights.
For full details of the rights you have, please see below.
Marketing communication and preferences
We use marketing communications to keep you up to date with what we’re doing, how you can get involved, and news and features about the charity which we feel will be of interest to you. This may include newsletters, surveys, financial appeals, raffle appeals, catalogues from our shop, fundraising opportunities or updates about the hospital.
We use a variety of methods to send marketing to you including post and electronic channels.
Electronic marketing includes the use of:
• telephone (landline and/or mobile)
• text messages
We’ll always ask your permission before we send you electronic marketing.
You can choose any combination of these methods and once you have told us how you want to hear from us, we’ll check in with you regularly (approximately every three years unless we advise you to the contrary) to make sure you haven't changed your mind. You can always tell us, at any time, if you no longer want to receive these communications.
The Charity uses social media to communicate with you and share information about campaigns or events. Currently we use Facebook, LinkedIn, Twitter and Instagram. We do this through advertising on your social media or through posting messages and information on our own social media pages which you may choose to “like”, “follow” or interact with.
For our supporters who are also Facebook users, we work with Facebook to use tools that Facebook make available to us to advertise to you. These tools enable our communications to appear on news feeds, and this is called a “custom audience”. We will only do this if you have already consented to us sending you marketing via email and where we believe the marketing communication may be of interest to you. Where this is the case, your name and e-mail address will be uploaded in an encrypted format to Facebook. Facebook will determine if you have a Facebook account and then place the marketing directly on your news feed. We may also use the same tool in a slightly different way to ensure you don’t receive unnecessary marketing communications.
We take your privacy and rights seriously but still deem your interest to us important. For this reason, we use our legitimate interest to use your information and communicate with you in this way. Therefore, we will not ask for your permission to market to you through social media, but you are always free to inform us that you do not want us to contact you in in this way. Please see Changing Marketing Preferences section below.
You can also update your preferences within the social media site to stop receiving marketing.
For further information on Facebook in particular, please see their terms of service and their data policy.
This is where you receive information about the charity through your mail box.
Postal marketing enables us to contact a wide range of individuals and is an easy way to keep you updated. It allows you to donate and get involved in your own time and in a way which isn’t intrusive for you.
For this reason, and after careful consideration, we use our legitimate interests to send marketing in this way. This means that we won’t ask you for prior permission to send you marketing by post, but you can always tell us if you no longer want to receive post. If you would like any more information about how we reached our decision to use legitimate interests, please contact our Data Protection Officer.
Changing your marketing preferences
You can stop receiving marketing communications altogether or change your preferences at any time either by following the instructions in the communication you have received or by contacting our Supporter Services Team.
We won’t use your information for marketing purposes if you have asked us not to. However, we may retain your details on a suppression list to help ensure we don’t continue to contact you.
For full details of the rights you have, please refer to the Your Rights section.
We don’t sell or swap your information with any third party for their marketing purposes. However, we do share and/or receive information from the recipients set out below:
1) Our Data Processors are organisations who:
a. act as a fundraiser for the Charity;
b. provide us with information and help us place marketing (subject to your communication preferences and our internal policies and procedures);
c. who will build a profile using information shared and return the profile to us, such as Experian;
d. help us identity possible new supporters;;
e. help us keep our records up-to-date and accurate;
f. help us investigate and respond to complaints and enquiries; and
g. who sell the charity products through our shop.
2) Volunteer Boards and committees who we share information with, where it is appropriate to do so, to enable us to accept donations or to pursue support.
3) Great Ormond Street Hospital and UCL Great Ormond Street Institute of Child Health who, where appropriate, we will accept information from, and share information with, in relation to key stakeholders.
4) Other third-parties where we are required to do so, including:
a. the police;
b. contracted parties who enable us to enforce or apply our terms and conditions or rights under an agreement;
c. third-party organisations where there is a need and we have entered into an information sharing agreement;
d. to protect us, for example in the case of suspected fraud or defamation; and
e. government bodies or regulatory bodies including the Charity Commission, Information Commissioners Office or Fundraising Regulator.
All our data processors are carefully selected and are trusted partners of the Charity. All our trusted partners are required to comply with data protection laws and our high standards and are only allowed to process your information in strict compliance with our instructions. We will always make sure appropriate contracts and controls are in place with our trusted partners and we regularly monitor all our partners to ensure their compliance.
If you would like more information about our trusted partners, please contact our Data Protection Officer.
We do not share your information for any other purpose.
Accuracy, retention and storage
We aim to ensure that all information we hold about you is accurate and kept up-to-date. We use services provided by trusted third-party organisations, such as the National Change of Address Register (facilitated by Royal Mail), to assist us with this. We also screen our records against other registers, such as the Bereavement Register, to ensure we do not contact individuals inappropriately.
If we believe the information we hold is not up-to-date, we will either update our records to reflect the information received from those services detailed above; or contact you and ask you to help us update this.
Similarly, if you believe any of the information we hold is inaccurate, or your circumstances change, please advise us and we will ensure our records are updated as soon as possible.
For more information on how to tell us your preferences regarding your personal data or to update your personal data please see the Your Rights section.
Storing your Information
The charity maintains a secure back-up of its information. This enables us to ensure that in the event of an incident which disrupts normal business operations, we can restore these operations as quickly as possible, continuing to provide support in the meantime.
We aim to store all information within the UK or within the European Economic Area ("EEA").
In some situations, it is possible that your information may be transferred outside the EEA. This may occur where, for example, one of our trusted partners processing information on our behalf has servers located in a country outside the EEA.
The charity keeps personal information about its donors and supporters in line with its Records Retention Policy and Records Retention Schedule, available on request to email@example.com.
All periods set in the Records Retention Schedule reflect the minimum retention period and take into consideration any legal requirements, tax or accounting rules. Documentation is reviewed prior to any decision being made about its destruction. With appropriate justification, documentation can be retained for longer than the suggested retention period but will be regularly reviewed thereafter and destroyed as soon as it is no longer required. When we no longer need to retain your information, we will ensure it is securely disposed of.
You have a right to ask us to delete personal information we hold about you in some circumstances (please see the “Your Rights” section for more information).
Protecting Children, Young Persons and Vulnerable Adults
If you are aged 16 or under, and would like to participate in an event, donate or get involved with us, please make sure that you have your parent/guardian’s permission before giving us your personal information. For some individuals we may require parental consent prior to collecting or using any personal information.
Where we collect information about you, we will make it clear as to the reasons for collecting this information and how it will be used.
The Charity recognises the importance of protecting individuals who may be in vulnerable circumstances and follows the sector best practice on, including that issued by the Institute of Fundraising, Treating Donors Fairly.
We believe that this guidance helps to support our staff and fundraisers who come into contact with supporters in providing high quality customer care, ensuring anyone donating to the Charity is in a position to make a free and informed decision.
If you would like to find out more about the Institute of Fundraising’s guidance, please follow this link : http://www.institute-of-fundraising.org.uk/library/treatingdonorsfairly/
You have a number of rights available to you and these are set out below.
Right to be Informed
Right to Rectify Inaccurate Information
You have a right to ask the charity to correct any data we hold and process that is no longer correct. You can also ask us to complete information that is incomplete.
Right to Restrict Processing
You have a right to choose what personal information held about you is processed and limit the information that you no longer want the charity to process.
Right to Portability
You have a right to ask the charity to send a copy of the information we hold about you to another organisation.
Right of Access
You have a right to ask us whether we are processing your personal information. Where this is the case, you can ask us to supply you with the information.
Right to Erasure
You have a right to ask the charity to delete the information we hold on you where:
it is no longer required for processing, you no longer consent to the processing, or where you object to processing.
Right to Object to Processing
You have the right to object to the processing of your information where:
this is carried out by us under the basis of public interest or legitimate interests, this is processed for direct marketing purposes, or this is processed for scientific or historical research purposes, or statistical purposes.
Right not to be subjected to Automated Decision Making
You have a right not to have your information processed using solely automated means with no human intervention, including any profiling activity.
You can exercise any of these rights at any time by contacting the Charity's Data Protection Officer on firstname.lastname@example.org.
If you are unhappy with the way your information is being processed, you may lodge a complaint with the UK's Supervisory Authority, the Information Commissioner. They can be contacted on 0303 123 1113 or via https://ico.org.uk/concerns/handling/
Our contact details
If you have any questions or queries about this Privacy Notice, please contact our Data Protection Officer or our Supporter Care Team:
Data Protection Officer (DPO)
Role/Department: Head of Governance, Legal and Compliance
Subject: Private Information Request / Data Protection Complaints / General Enquiries
Address: 40 Bernard Street London, WC1N 1LE
Telephone: 020 3841 3000
Role/Department: Supporter Services
Subject: Compliments and Complaints / General Enquiries
Address: 40 Bernard Street London, WC1N 1LE
Telephone: 020 7091 7750
This policy was last updated in January 2020 and replaces all previous versions.
We will regularly review and update this document. Changes will be notified either via e-mail or through an announcement on our website.