Privacy and Data Protection Statement

Who are we?

Sparks Charity (Sparks) raises money to fund pioneering child health research across the UK, helping to find new treatments and cures for children and families who desperately need them.

Sparks is a subsidiary of Great Ormond Street Hospital Children’s Charity (GOSH Charity) and part of the GOSH Charity Family. Sparks is a registered charity in England and Wales (registered charity number 1003825) and Scotland (registered charity number SC039482) and is also registered as a company limited by guarantee (company number 2634037).

GOSH Charity raises money to enable the hospital to provide world class care to children and to pioneer new treatments and cures for childhood illnesses. The support the Charity provides to Great Ormond Street Children’s Hospital is concentrated in four main areas namely, redevelopment, research, medical equipment and accommodation and patient/patient family support.

GOSH Charity is a registered charity in England and Wales (registered charity number 1160024) and we are also registered as a company limited by guarantee (company number 09338724). We use a wholly owned subsidiary company, Great Ormond Street International Promotions Limited (company number in England and Wales number 02265303) to record our activity classed as trading, for example the selling of GOSH Charity branded clothes and gifts.

Unless otherwise stated, within the context of this policy, the terms “we” and “the Charity” means GOSH Charity, Sparks and our trading subsidiary.

Basis for processing personal information

The charity uses any one of the following lawful basis for processing your personal information:

1. You have consented to us processing your data; or
2. There is a contractual relationship with you; or
3. We are legally obliged to process your data; or
4. We believe it’s in the legitimate interest of either you as the data subject, or us as the Charity, to process your data. Legitimate interest can be used where there is a reasonable purpose to process an individual’s data. For more information on legitimate interest, please see the ICO’s website or contact us.

It’s important that the personal information the charity obtains is held, used, transferred and otherwise processed in accordance with the legislation.

The law sets out a couple of additional grounds over and above those listed above, however the charity is only using the grounds detailed above. In the future, if the grounds for processing change, the notice will be updated to reflect this. For more information about how the policy is changed please click please refer to the Our Contact Details section.

The charity gets its authority to process your personal information from the legal requirements set out in the following legislation (laws):

-Data Protection Act 2018;
-General Data Protection Regulation; and
- Privacy and Electronic Communications Regulations

Your personal information is processed and stored in accordance with the legal requirements in the corresponding laws.

Information processed by the Charity

Personal information is information that can be used to identify you.

You can find examples of personal information in the four categories below.

Category 1: identification information
• name
• date of birth
• email address
• landline number
• mobile number
• fax number
• postal address
• photography/images
• film

Category 2: personal life information
• family and friend connections, such as parents and siblings
• job role
• type of organisation you work at
• activities by the charity that you may be interested in

Category 3: economic and financial information
• bank account details
• credit/debit card details
• whether you are a UK tax payer so that we can claim Gift Aid (we don’t collect information about your tax payments, only whether you are a tax payer

Category 4: connection information
• browser information
• device data
• location data

Special category (or sensitive information)
Information in this category is more sensitive than in the categories above and includes:
• health and medical information
• ethnicity
• criminal conviction

The charity doesn’t usually collect this type of information unless there’s a clear reason for doing so. An example of when collecting this information is necessary is participating in an event where we need this information to ensure we provide you with the appropriate facilities.

The charity may also collect health information if you tell us about your experiences with the hospital.

We will make it clear when and why we are collecting this information.

How we collect personal information

We collect information about you in the following ways:

  • when you ask about our services
  • when you make a donation to the charity
  • when you register for an event
  • when you engage in our social media, digital advertising or message boards
  • when you voluntarily give the Charity your personal information
  • when you apply for a charity grant for projects that will improve the healthcare and services at Great Ormond Street Children’s Hospital
  • when you apply for a research charity grant to further child health research at Great Ormond Street Children’s Hospital, the UCL Great Ormond Street Institute of Child Health and around the UK
  • when you subscribe to our charity publications or email newsletters
  • when you read or download information from our website

Photography and images

Sparks Charity uses photography, images and film.

The images are used in media (such as newspapers, magazines, websites or broadcast outlets), on social media, in publications, on our website, in printed or online fundraising materials, in fundraising and awareness films or by our corporate partners who help us raise money to support the Charity.

Patient Case Studies

Photography, images and film created for patient case studies is taken and used with your consent.

We will discuss with you how your, and/or your child’s, image and information is going to be used and ensure you are happy for it to be used in this way. You can ask us to stop any time and we will refresh your consent every two years.

Event Photography

Where an event is organised by the Charity, we will ask you for consent to use any photographs taken where you are the focus of the image. Permission will be requested either prior, during or after the event.

Where the photograph does not focus on you as an individual, e.g. where you appear in the background of the photograph or as one of a number of people in a group shot, it is not normally necessary for us to ask your permission. We will ensure the terms and conditions of the event tell you if there will be photographers present.

If you do not want your photograph taken, please either tell the photographer at the time, if it is convenient to do so, or contact the Charity after the event. You can change your mind at any time and we will refresh your consent on a regular basis.

Where the event is organised by a third-party, we will use photography from the event under our legitimate interests. We will be clear in our terms and conditions of entry if this is the case. If you do not want your photograph taken, please either tell the photographer at the time, if it is convenient to do so, or contact the Charity after the event.

At third-party events there will be photographers present who represent the event organiser and for whom the Charity is not responsible. Please review the terms and conditions issued by the event organiser for more information and inform the event organiser of your preferences and wishes in respect of photography taken.

For more information on your rights in how Sparks Charity use photography and images please see the Your Rights section.

The reasons the Charity collects and uses information

We’ll collect and use your information for one or more of the following reasons:

Under the lawful basis of contractual necessity for processing, we collect and use your information as follows:
• to process your order and send you the items that you have ordered through the GOSH Charity shop.
• for the purpose of you entering a raffle, prize draw or competition.

Under the lawful basis of legal obligation for processing, we collect and use your information as follows:
• where the collection is required or authorised by law; and
• to assess your personal information for credit risk, age verification or fraud prevention. Charities can be targeted for illegal purposes such as money laundering and therefore we are required to monitor financial activity and report suspected fraud to the appropriate authorities.

Under lawful basis of consent for processing, we collect and use your information as follows:
• to provide you with the service, products or information about the Charity’s work or the activities we provide that you have requested.
• for your participation or expressed interest in an event, ensuring you have all the required information required.
• to ask you to help the Charity by raising money on our behalf or donating money to us but always in accordance with our supporter commitment found here.
• where you made a donation in celebration of another individual and that individual, or a related person, wish to know who has given.

Under the lawful basis of legitimate interest for processing, we collect and use your information as follows:
• to process any donation(s) we may receive from you.
• to provide you with information about the Charity’s work or activities.
• for internal record keeping such as to manage feedback or respond to complaints.
• to administer and monitor grant funding.
• to help us identify new supporters.
• to analyse and improve our services regarding:
• fundraising;
• retail; and
• supporting the hospital
• to use IP Addresses:
• to block disruptive use;
• to record website traffic; or
• to personalise content based on previous visitor history.
• to invite you to participate in surveys regarding your experience with the Charity or market research.

Credit, debit card and payment

Donations to the charity can be made via credit or debit card payments, direct debit, standing order, Charity Aid Foundation (CAF) vouchers, cash and cheques.

Payments for purchases can be made online or over the phone.

We ensure that all payments or donations are carried out securely and in accordance with the Payment Card Industry Data Security Standard (“PCI DSS”).

To find out more about PCI DSS standards visit their website at pcisecuritystandards.org.

Your payment information

In addition to keeping your payment information safe during the payment process, we will:
• not store your credit or debit card details
• securely destroy all card details and validation codes once the payment or donation process is complete
• immediately delete any emails received that contain any credit or debit card details
• only allow authorised staff to process payments and access payment details

Other payment options

We also offer ApplePay as a payment option for some services. To process payments made through ApplePay we use a third party called Stripe Payments Europe Ltd (Stripe).

Stripe may use, retain and disclose your personal information and credit card details for this purpose and as set out in their privacy policy, including transferring your data outside of the European Economic Area (EEA). Where such transfer occurs, we ensure your data is adequately protected as described in The Accuracy, Retention and Storage section.

Profiling

Profiling means gathering information about individuals and analysing their characteristics and behaviour patterns to place them in a certain category to help inform the efficiency of the Charities fundraising activity. It’s a procedure that involves processing personal information using a series of statistical deductions to make predictions about people which makes an inference based on the qualities of others who appear statistically similar to the individual whose personal information is being processed.

How we use profiling
We aim to ensure that our fundraising activity and marketing communications are appropriate and timely. We want to send you the most relevant information and only promote donation opportunities that we believe you are most likely to be interested in.

To do this, we may use your personal information which at times includes previous transactions and communication history, alongside profiling techniques and insight companies to provide us with general information about you – information you have volunteered about your lifestyle and purchasing habits. To assist us, we may use public registers or third-party information services, such as Experian’s Mosaic product. For more information, please see the Information Sharing section of this document.

We also want to increase our fundraising capability and our event participation through identifying new people who may be interested in supporting us. To help us do this, we may share your name and e-mail address with organisations such as Facebook so they can help us identify other social media users that may have an interest in supporting our charity because they share similar characteristics to you. For more information, please see the Information Sharing section of this document.

You can request to not have your information used in this way. For full details of the rights you have, please see the Your Rights section.

Website Tracking and Cookies

Website tracking
Our websites use cookies to help them work well and to find out how people are using them.

For all areas of our websites which collect personal information, we use a secure server. Although we cannot 100% guarantee the security of any information you give us, we enforce strict procedures and security features to protect your information and prevent unauthorized access.

Our websites contain links to other websites belonging to third parties and we sometimes choose to participate in social networking sites including but not limited to YouTube, Facebook, Twitter and Instagram. We may also include content from sites such as these on our website, but we don’t have control of the privacy practices of these other sites. You should make sure that when you leave our site you have read and understood that site’s privacy policy in addition to our own.

We use cookies and spotlight tags to help track the success of our online advertising and monitor how people use our websites. Additionally, Sparks use web beacons to monitor the success of different email communications. We use Google Analytics for our web analytics and work with DoubleClick to monitor our online advertising results.

From time to time, we gather information such as pages most visited, the events or activities of most interest and products borrowed and purchased, to help improve our website and activities.

Wherever possible, we will keep this information anonymous so that it will not identify you as an individual visitor to our websites.

Cookies
A cookie is a small text file that is placed on your computer or mobile device when you access our websites. This allows the website to recognise your device and store information about your preferences and actions.

Sparks Charity use Session, Persistent and Essential Cookies which are described further below:
Session Cookies allow websites to link the actions of a user during a browser session. We will use session cookies for helping remember what you have accessed as you browse our website, including what you have put in your shopping basket. These cookies are deleted from your computer when you close your browser and are not stored longer term.
Persistent Cookies are cookies which are stored on your device in between browser sessions, allowing your preferences or actions to be remembered when you revisit the website. They remain on your computer until you delete them, or they reach their expiry date. These cookies allow us to understand whether you have previously visited the website using this browser and device and help us to tailor our marketing based on your previous activity.
Essential Cookies are those cookies which are necessary for us to run our website. Without these, the page would not load properly. These cookies help us to keep the Charity website up and running and provide you with a good experience when you browse our website.

By using our website, you are consenting to these cookies being placed on your browser. You can disable session and persistent cookies using your browser settings. Details of how to do this are listed below.

More information on the cookies we use, please click here.

Spotlight tags

A spotlight tag records access to a website as part of online advertising. Spotlight tags allow us to track, measure and report on activities that happen on our website after you see or click on an ad. These tags allow us to measure the effectiveness of our online marketing campaigns.

These files are provided to us by our ad partner, DoubleClick. For more information about DoubleClick please visit doubleclick.net

Web Beacon

A web beacon is an invisible graphic that is placed on a website or in an email and used to monitor the behaviour of the user visiting the website or sending the email. When you open an HTML email that we have sent you, this graphic is downloaded from a web server and generates a record showing that the email was opened, how many times it was forwarded (if any) and which links within the email were clicked.

Access the MailChimp website to find out more information.

High value fundraising

To enable us to fundraise for high value giving opportunities appropriately and effectively, we will research individuals and organisations to help us identify suitable major donors, corporate partners, patrons, and committee or appeal board members.

This research helps us to identify individuals or organisations who have the capacity to make substantial donations, who appear to have an interest in supporting our cause and who may be able to help us to raise funds through volunteer support for our appeals, events or partnership opportunities.

Processing of information for high value fundraising
We use our legitimate interests to process your information for high value fundraising research.

The processing of your information in this way for high value fundraising is instrumental in enabling us to support large-scale projects and initiatives that benefit Great Ormond Street Children’s Hospital and UCL Great Ormond Street Institute of Child Health. We appreciate that you expect us to conduct such processing in an efficient and professional manner whilst taking your right to privacy into account.

We will inform you of the processing we undertake when we first contact you and then at further regular intervals throughout the lifetime of our contact with you. You can, exercise your rights at any time. For full details of your rights, please refer to the Your Rights section. If you would like any further information about how we reached our decision to use legitimate interests, please contact our Data Protection Officer using the contact details in the Our Contact Detail section at the end of this policy.

How we undertake research

We are careful to ensure information collated is not excessive or intrusive and is sourced reliably and appropriately.

Any research is undertaken using only credible, publicly available information. This may include sources such as national and local press, Companies House, Charity Commission and from social media sites such as LinkedIn. We’ll only use these where the data has been deliberately made public. We may also use appropriate third-party sources to identify and inform professional approaches to prospective donors, partners and volunteers.

We don’t routinely collect large volumes of personal information related to your health, racial or ethnic origin, or religious or political beliefs. However, occasionally the research we undertake may include limited information which falls within this description. We recognise the sensitivities of this information and will only process and record this information if you tell us directly and agree to this processing.

Due diligence

To comply with our obligations as a charity, we must also take reasonable and appropriate steps to know who our donors are, particularly where significant sums are donated.

Using charity law as a legal basis for processing, we may conduct due diligence to provide assurances that donations and support are from appropriate sources. This is to safeguard our reputation and to help us mitigate any associated risk.

We have clearly defined principles that guide how we engage in mutually beneficial relationships with companies, foundations and individuals. These principles ensure that we raise money legally, safely and transparently.

The nature and extent of due diligence research is proportionate to the fundraising opportunity. This doesn’t mean that we’ll research lots of personal details about every donor or question every donation. Any information we collect for these purposes will only consist of what is necessary for us to meet these requirements and will be processed in line with your rights.

For full details of the rights you have, please refer to the Your rights section.

Marketing communication and preferences

We use marketing communications to keep you up to date with what we’re doing, how you can get involved, and news and features about the charity which we feel will be of interest to you. This may include newsletters, surveys, financial appeals, raffle appeals, catalogues from our shop, fundraising opportunities or updates about the hospital.

We use a variety of methods to send marketing to you including post and electronic channels.

Electronic
Electronic marketing includes the use of:
• telephone (landline and/or mobile)
• email
• text messages

We’ll always ask your permission before we send you electronic marketing.

You can choose any combination of these methods and once you have told us how you want to hear from us, we’ll check in with you regularly (approximately every three years unless we advise you to the contrary) to make sure you haven’t changed your mind. You can always tell us, at any time, if you no longer want to receive these communications.

Social Media
The Charity uses social media to communicate with you and share information about campaigns or events. Currently we use Facebook, LinkedIn, Twitter and Instagram. We do this through advertising on your social media or through posting messages and information on our own social media pages which you may choose to “like”, “follow” or interact with.

For our supporters who are also Facebook users, we work with Facebook to use tools that Facebook make available to us to advertise to you. These tools enable our communications to appear on news feeds, and this is called a “custom audience”. We will only do this if you have already consented to us sending you marketing via email and where we believe the marketing communication may be of interest to you. Where this is the case, your name and e-mail address will be uploaded in an encrypted format to Facebook. Facebook will determine if you have a Facebook account and then place the marketing directly on your news feed. We may also use the same tool in a slightly different way to ensure you don’t receive unnecessary marketing communications.

We take your privacy and rights seriously but still deem your interest to us important. For this reason, we use our legitimate interest to use your information and communicate with you in this way. Therefore, we will not ask for your permission to market to you through social media, but you are always free to inform us that you do not want us to contact you in in this way. Please see Changing Marketing Preferences section below.

You can also update your preferences within the social media site to stop receiving marketing. For further information on Facebook in particular, please see their terms of service and their data policy.

Post
This is where you receive information about the charity through your mail box.

Postal marketing enables us to contact a wide range of individuals and is an easy way to keep you updated. It allows you to donate and get involved in your own time and in a way which isn’t intrusive for you.

For this reason, and after careful consideration, we use our legitimate interests to send marketing in this way. This means that we won’t ask you for prior permission to send you marketing by post, but you can always tell us if you no longer want to receive post. If you would like any more information about how we reached our decision to use legitimate interests, please contact our Data Protection Officer using the details in the Our Contact Details section.

Changing your marketing preferences
You can stop receiving marketing communications altogether or change your preferences at any time either by following the instructions in the communication you have received or by contacting our Supporter Services Team using the details in the Our Contact Details section.

We won’t use your information for marketing purposes if you have asked us not to. However, we may retain your details on a suppression list to help ensure we don’t continue to contact you.

For full details of the rights you have, please refer to the Your Rights section.

Information sharing

We don’t sell or swap your information with any third party for their marketing purposes. However, we may share or receive information in the following ways:

Our Data Processors are organisations who:
• act as a fundraiser for the Charity;
• provide us with information and help us place marketing (subject to your communication preferences and our internal policies and procedures);
• who will build a profile using information shared and return the profile to us, such as Experian;
• help us identity possible new supporters, such as Facebook;
• help us keep our records up-to-date and accurate; and who sell the charity products through the GOSH Charity shop.

Volunteer Boards and committees who:
• we share information with, where it is appropriate to do so, to enable us to accept donations or to pursue support

Great Ormond Street Hospital and UCL Great Ormond Street Institute of Child Health who, where appropriate, we will accept information from, and share information with, in relation to key stakeholders.

Other third-parties where we are legally required to do so, including:
• the police;
• contracted parties who enable us to enforce or apply our terms and conditions or rights under an agreement;
• to protect us, for example in the case of suspected fraud or defamation; and
• government bodies or regulatory bodies including the Charity Commission or Fundraising Regulator.

All our data processors are carefully selected and are trusted partners of the Charity. All our trusted partners are required to comply with data protection laws and our high standards and are only allowed to process your information in strict compliance with our instructions. We will always make sure appropriate contracts and controls are in place with our trusted partners and we regularly monitor all our partners to ensure their compliance.

If you would like more information about our trusted partners, please contact our Data Protection Officer using the details in the Our Contact Details section.

We do not share your information for any other purpose.

Accuracy, retention and storage

Accuracy
We aim to ensure that all information we hold about you is accurate and kept up-to-date.
We use services provided by trusted third-party organisations, such as the National Change of Address Register (facilitated by Royal Mail), to assist us with this. We also screen our records against other registers such as the Bereavement Register to ensure we do not contact individuals inappropriately.

If we believe the information held is not up-to-date, we will either update our records to reflect the information received from those services detailed above; or contact you and ask you to update this.

Similarly, if you believe any of the information we hold about you is inaccurate or your circumstances change, please advise us as soon as possible and we will ensure our records are updated as soon as possible.

Storing your Information
The charity maintains a secure back-up of its information. This enables us to ensure that in the event of an incident which disrupts normal business operations, we can restore these operations as quickly as possible, continuing to provide support in the meantime.

We aim to store all information within the UK or within the European Economic Area (“EEA”).

In some situations, it is possible that your information may be transferred outside the EEA. This may occur where, for example, one of our trusted partners processing information on our behalf has servers located in a country outside the EEA.

If this is the case, we will take appropriate steps to ensure your privacy continues to be protected as outlined in this privacy policy and in line with our legal obligations. These steps will include, as a minimum, inserting appropriate clauses in any contractual agreement with the third party regarding security measures and undertaking a Data Protection Impact Assessment on the data processing.

Retention
The charity keeps personal information about its donors and supporters in line with its Records Retention Policy and Records Retention Schedule, available on request to dataprotection@gosh.org.

All periods set in the Records Retention Schedule reflect the minimum retention period and take into consideration any legal requirements, tax or accounting rules. Documentation is reviewed prior to any decision being made about its destruction. With appropriate justification, documentation can be retained for longer than the suggested retention period but will be regularly reviewed thereafter and destroyed as soon as it is no longer required. When we no longer need to retain your information, we will ensure it is securely disposed of.

You have a right to ask us to delete personal information we hold about you in some circumstances (please refer to the Your Right section for more information on this right).

Protecting Children, Young Persons and Vulnerable Adults

Under 16’s
If you are aged 16 or under, and would like to participate in an event, donate or get involved with us, please make sure that you have your parent/guardian’s permission before giving us your personal information.
Where we collect information about a child or young person, we will make it clear as to the reasons for collecting this information and how it will be used.

Vulnerable Circumstances
The Charity recognise the importance of protecting individuals who may be in vulnerable circumstances and follow the guidance issued by the Institute of Fundraising on treating donors fairly.

We believe that this guidance helps to support our staff and fundraisers who come into contact with supporters in providing high quality customer care, ensuring anyone donating to the Charity is in a position to make a free and informed decision.

If you would like to find out more about the Institute of Fundraising’s guidance, please click here.

Your rights

You have a number of rights available to you and these are set out below.

Right to be Informed
You have a right to be told what the charity is doing with your data. This Privacy Policy sets this out for you and further information can be sought from the Charity’s Data Protection Officer.

Right to Rectify Inaccurate Information
You have a right to ask the charity to correct any data we hold and process that is no longer correct. You can also ask us to complete information that is incomplete.

Right to Restrict Processing
You have a right to choose what personal information held about you is processed and limit the information that you no longer want the charity to process.

Right to Portability
You have a right to ask the charity to send a copy of the information we hold about you to another organisation.

Right of Access
You have a right to ask us whether we are processing your personal information. Where this is the case, you can ask us to supply you with the information.

Right to Erasure
You have a right to ask the charity to delete the information we hold on you where:
• it is no longer required for processing,
• you no longer consent to the processing or
• where you object to processing

Right to Object to Processing
You have the right to object to the processing of your information where:
• this is carried out by us under the basis of public interest or legitimate interests,
• this is processed for direct marketing purposes, or
• this is processed for scientific or historical research purposes, or statistical purposes.

Right not to be subjected to Automated Decision Making
You have a right not to have your information processed using solely automated means with no human intervention, including any profiling activity.

You can exercise any of these rights at any time by contacting the Charity’s Data Protection Officer on dataprotection@gosh.org.

If you are unhappy with the way your information is being processed, you may lodge a complaint with the UK’s Supervisory Authority, the Information Commissioner. They can be contacted on 0303 123 1113 or via their website.

Our contact details

If you have any questions or queries about this Privacy Notice, please contact our Data Protection Officer or our Supporter Care Team:

Data Protection Officer (DPO)
Role/Department: Head of Governance, Legal and Compliance
Subject: Private Information Request / Data Protection Complaints / General Enquiries
Address: 40 Bernard Street London, WC1N 1LE
Telephone: 020 3841 3000
Email: dataprotection@gosh.org

Charity
Role/Department: Supporter Services
Subject: Compliments and Complaints / General Enquiries
Address: 40 Bernard Street London, WC1N 1LE
Telephone: 020 7091 7750
Email: info@sparks.org.uk

This policy was last updated in February 2019 and replaces all previous versions.

We will regularly review and update this document.

Changes will be notified either via e-mail or through an announcement on our website.