Our privacy statement

Epilepsy Action is a community of people committed to improving the lives of everyone affected by epilepsy and is a charity registered as the British Epilepsy Association in England and Wales (No.797997). BEA Trading Ltd sells a range of good and services and all the profits are passed to Epilepsy Action.

Being open and transparent about how and why we do things is central to our values as a charity and this privacy statement sets out how, why and when we collect and use your personal information and how we keep it safe and secure.

We regularly review this privacy statement, and any updates will be posted on our website and will apply from the date they go live. Supporters we are in contact with will be informed of any major changes. If you have any questions about data protection, please email our Data Protection Officer at dpo@epilepsy.org.uk or write to:

Data Protection Officer 
Epilepsy Action  
New Anstey House 
Gate Way Drive 
Yeadon 
Leeds 
LS19 7XY

This Privacy Statement does not cover information gathered on websites outside our control and there are additional organisational policies that employees should refer to.

This privacy statement was last updated September 2022.

  • 1. What is personal data?

    Personal data is any information that identifies a living person. This can include name, address, phone number and email address.

    It also covers the use of any personal information you provide. This may be by phone, text, email, social media, letter or in person. It can include IP addresses and other technical identifying information.

  • 2. What is Special Categories of Personal Data?

    The UK GDPR defines special category data as:

    • personal data revealing racial or ethnic origin;
    • personal data revealing political opinions;
    • personal data revealing religious or philosophical beliefs;
    • personal data revealing trade union membership;
    • genetic data;
    • biometric data (where used for identification purposes);
    • data concerning health;
    • data concerning a person’s sex life; and
    • data concerning a person’s sexual orientation.

    As data concerning health is a Special Category we will need to seek your explicit consent to keep information about your epilepsy status as well as other categories listed above. For more information see section 9 below  and Special category data | ICO.

  • 3. Your data, your rights

    While we are in possession of, or processing, your personal data, you have the following rights:

    • Right of access – you have the right to request a copy of the information that we hold about you.
    • Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
    • Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
    • Right to restriction of processing – where certain conditions apply you have a right to restrict the processing.
    • Right of portability – you have the right to have the data we hold about you transferred to another organisation.
    • to certain types of processing, such as direct marketing. Right to object to automated processing, including profiling – you also have the right not to be
    • subject to the legal effects of automated processing or profiling.

    If Epilepsy Action refuses your request under rights of access, we will provide you with a reason, and you have the right to legally challenge this.
    At your request we can confirm what information we hold about you and how it is processed.

  • 4. Who we collect information on

    We need to collect and use your personal data if you contact us for any reason, including if you are a:

    • member of Epilepsy Action
    • member of our online communities
    • supporter, donor, or someone fundraising for us
    • person who uses our services
    • visitor to any of our websites
    • person who makes contact through social media platforms
    • person who buys goods from our trading company, BEA Trading Ltd
    • volunteer or prospective volunteer
    • employee or prospective employee
    • supplier or prospective supplier
    • journalist, member of the media, broadcaster, publisher
    • MP, Councillor, or another public representative
    • healthcare profession
    • a person from an organisation or business that wants our support or to work with us.
  • 5. Why we hold your data
    • to communicate with you as a supporter and service user
    • to respond to your enquiry or request for information
    • to provide you with the service or membership you requested
    • to process sales or donations and verify financial transactions
    • to manage and deliver items you have ordered
    • to provide a personalised service to you when you visit our websites. This includes the use of cookies if you agree to their use and could include customising content and layout of web pages. It also means we can help with any problems you may be experiencing with our website, including if you enter details onto an online form and you don’t send or submit the form.
    • to keep a record of any contact we have with you
    • to prevent or detect fraud
    • to enable third parties to carry out technical or logistical functions for us
    • to carry out research on the demographics, background and interests of our supporters and users of our services
    • to tell you about the things you have told us you are interested in
    • to send by post information about our work that we think is in our legitimate interest to do so.
  • 6. How we collect data

    We may collect and store information about you whenever you interact with us, for example when you make a donation, register for an event or submit an enquiry. Other examples include if you register for our services, apply for a job or volunteering opportunity, or provide personal information.

    We may also receive information about you from third parties for a specific purpose. However, this will only happen if you have given them permission to share your information.

  • 7. Complying with GDPR and the 2018 Data Protection Act

    GDPR requires us to process personal data fairly and lawfully. We will offer you choices about the way you are contacted. We will also be clear about how we will use your information and how long we will keep it for.

    Epilepsy Action has informed the Information Commissioner’s Office (ICO) why we collect and process data. We only hold data about you that is sufficient for our purpose, and we try and make sure that the data we hold is accurate and up to date.

    We only hold personal data as long as is necessary. However, we may need to keep personal data about you even if you have requested no further contact or removal. This is so we can make sure we don’t contact you about any activity.

    We have systems in place to protect your personal data. Access to written and electronic personal data is restricted and has a level of security depending on the sensitivity of the data. Data taken off-site is either password protected or encrypted.

  • 8. Legitimate interest

    We may use legitimate interest as the basis to send information about our work, or marketing material by post, where there has not been an opt out of contact by post.

    We may also use legitimate interest to process data on the following:

    • employee data
    • employment applications
    • volunteer applications and engagement
    • advisers, authors and writers for our publications and services
    • standard business contacts including healthcare professionals
    • approaching companies about cooperation or fundraising where we can demonstrate this is reasonable, for example they have a corporate responsibility statement indicating support for our type of work
    • approaching trusts and foundations where we can demonstrate they support our type of charity
      responding to enquiries
    • request to seek advice or engagement with us on projects
    • researching current supporters, partners and potential partners or supporters (including trusts and funds and companies and their employees, directors, or trustees) via information in the public domain.
    • postal marketing to any contact where engagement suggests it does not override an individual’s privacy rights: examples include current donors, legacy donors, epilepsy professional circulation, Doodle Day participants and raffle participants.
    • the publication or broadcast of photos or videos in live events.
  • 9. Special categories of personal data

    If you contact us for advice, support, or counselling, join us as a member, take part in a group, or work as a media volunteer, we may record the following information, but would not store it without your explicit consent:

    • Your interest in epilepsy and what affects you in your daily life. This helps us to monitor the demand for our services and plan for additional content and information.
    • Your health information such as epilepsy status and your ethnicity. Collecting this information helps us to identify trends, improve our services and ensure they are accessible.

    We have legally backed reasons for collecting Special Categories of Personal Data. It helps us to achieve one or more of our charitable aims, for example the provision of accurate advice and support to people diagnosed with epilepsy. None of this data will be used in a way that could harm you as an individual.

  • 10. Marketing Communications

    We will make sure you can opt out of receiving marketing communications at the first reasonable opportunity. You will be able to say no to contact by mail, telephone, text or email.

    If, at a later date, you contact us and give different contact preferences we will use the latest information. Every time we contact you there will be an opportunity to update communication preferences.

  • 11. Email marketing

    Emails and text messages are also covered by the Privacy and Electronic Communications Regulations What are PECR? | ICO

    You will tick a box to agree to your details being used for marketing emails/texts and any future emails or texts will include the opportunity to unsubscribe.

    We use reputable third-party providers to deliver our e-newsletters. We gather statistics around email opening and clicks using industry standard technologies.

  • 12. Social Media

    We may use your details to contact you with updates and information relating to your fundraising. This depends on your own privacy settings for social media sites such as Facebook, WhatsApp and Twitter. We may also use your details to promote other activities or events on social media platforms. To control these adverts you should amend your social media platform settings.

    We use third party providers to manage our social media interactions. If you send us a private or direct message this will be stored in line with our data retention schedule and will not be shared with other organisations.

  • 13. Website data collection, hosting and spam prevention

    If you use any of the email facilities or forms on any of our sites, we will capture your email address, name and, where relevant, postal address. See the cookies section for further details.

    If you use any of the secure forms on our sites, your credit/debit information is only used to complete that transaction and we, or our contracted suppliers, will manage the transaction securely in line with the PCI DSS standards. All forms and systems are secure and cannot be accessed by anyone other than the staff involved in completing the transaction.

    Our Office 365 platform and Dynamics are hosted within the UK. Any personal information transferred outside the European Economic Area (EEA) would only occur as information stored in the cloud. We will ensure that your information is held in compliance with the European data protection regulations.

    We use standard third-party web analytics services to collect anonymous information about your computer, including your IP address, operating system and browser type. This means we can monitor and report on the effectiveness of the site but does not identify you as an individual.

    We use third party services to host our websites and analyse the quality of content posted by our users on our websites. The contents of forms (including your personal data) are passed to third parties to assess whether the content is posted by spammers. They will only use the information for this purpose.

    For further details on the systems and companies we use for our website hosting please contact our Digital Manager.

  • 14. Building profiles of supporters and targeting communications

    We may use research, profiling and screening techniques to ensure communications are relevant and well timed. We may also use them to provide an improved experience for our supporters.  This research helps us to understand more about you as an individual, so we can focus conversations we have with you about fundraising and volunteering in the most effective way and ensure that we provide you with an experience as a donor or potential donor which is appropriate for you.

    This research and profiling allows us to target our resources effectively. We do this because it allows us to understand the background of the people who support us. It helps us make appropriate requests to supporters who may be able and willing to give more than they already do. It also helps us to raise more funds sooner, and more cost-effectively, than we otherwise would.

    When building a profile we undertake in-house research and from time to time, engage specialist agencies to gather information about you from publicly available sources, for example, Companies House, the Electoral Register, company websites, ‘rich lists,’ social networks such as LinkedIn, political and property registers, and news archives.  We may also analyse geographic, demographic and other information relating to you. This is so we can understand your interests and preferences and contact you with the most relevant communications. In doing this, we may use additional information from third-party sources when it is available.

    We may also carry out research using publicly available information to identify individuals who may have an affinity to our cause but with whom we are not already in touch. This may include people connected to our current major supporters, trustees or other lead volunteers. We also use publicly available sources to carry out due diligence on donors in line with the charity’s Gift Acceptance Policy and to meet money laundering regulations.

    If you would prefer us not to use your data for this research, profiling and data screening in this way, please email us at dpo@epilepsy.org.uk.

  • 15. Children’s Data

    If a child under 16 joins Epilepsy Action, or takes part in an event, we will keep their information to support their membership or the event. If a child uses our advice and support services, or sends an enquiry, we will only use their information to deal with that enquiry.

    We recognise the need to protect the privacy and safety of children under 16. We generally use photographs of models and only use images of real children and their names where this is necessary for the context.

    Parental permission must be obtained to use an image or information, and in the case of children 13-16 years we will also record their permission. Further details can be found here.

  • 16. Sharing your data with other organisations

    We use third parties to handle some of our services on your behalf, as permitted under GDPR. These organisations are only allowed to use your personal information for the specific purpose they have been contracted for. For example, this could be to send a letter to you, process your direct debit or for conducting prospect research.

    The translation service that supports our Helpline is provided by a third-party company but they do not keep any information on the individuals that they translate for.

    We will always transfer data securely and never swap or sell your data with another organisation for them to use for marketing purposes. All suppliers handling any personal data are subject to a data processing agreement which is legally binding and controls what they do with the data.

    If something you have told us makes us think you or someone you know might be at serious risk of harm, we may tell the police or social services: for example, if we think you might hurt yourself or someone else.

  • 17. Emergency contact details

    If you attend an Epilepsy Action event and provide us with emergency contact details you must confirm that the person whose details you provide has given permission for you to share them.

    We will delete any emergency contact details as soon as is practical.

  • 18. Use of media and consent

    Media consent applies to:

    • Photographs
    • Video footage
    • Stills from videos
    • Sound recordings
    • Quotes and case studies

    It applies whether or not Epilepsy Action took the material, commissioned it or it was submitted by a third party.

    If you give consent we may use it as follows:

    • on websites
    • on social media and video hosting platforms
    • in Epilepsy Action information materials
    • for broadcast and radio interviews
    • for written press articles.

    Material will only be used for as long as consent has been given. Media consent will normally be five years, unless you state something different.

    After expiry of consent material will be deleted from storage and withdrawn from the web and relevant social media. We are unable to guarantee that we can withdraw all material that is already in circulation. We will take all reasonable steps to make sure content used on our websites and in publications is not used by third parties without our permission.

    At some events other photographers, videographers or members of the public not employed by, or associated with, Epilepsy Action make take and distribute material, and this is beyond our control.

  • 19. Employees, ex-employees and job applicants

    Applicants

    When people apply to work at Epilepsy Action, we use the information they supply to process their application and select the preferred candidate to the role. We will also process data to monitor recruitment statistics. When we want to disclose or request information to or from a third party, we will not do so without informing the person in advance, unless the disclosure is required by law.

    Personal information about unsuccessful candidates will be held for 6 months after the recruitment exercise has finished. It will then be securely destroyed or deleted. We retain statistical information about applicants to help inform our recruitment activities, however, no individuals can be identified from that data.

    Employees

    Once a person has taken up employment with Epilepsy Action, there are several data requirements we require to ensure legal compliance and processing as part of your employment with us.

    This information is stored securely, and access is restricted to those who need to access it for legitimate purposes directly relevant to that person’s employment.

    Employees should refer to:

    Data Protection Policy with privacy statement and data retention guidance
    Contract of Employment
    Equality, Diversity and Inclusion Policy

    Employees and applicants should refer to the Policy Statement on the Recruitment of Ex-Offenders.

    Ex- Employees

    Once employment with Epilepsy Action has ended, we will keep the file as required by our Retention Schedule and then securely destroy or delete it.

    We will provide data to organisations who may request a reference about you in line with our Reference Procedure (a copy can be requested from recruitment@epilepsy.org.uk), where your permission has been given to provide this. We will only share any other data about ex-employees where legally required to do so.

  • 20. Requesting access to your data

    You can request information about:

    • The processing based on the legitimate interests of Epilepsy Action and information about these interests.
    • The categories of personal data collected, stored and processed.
    • Recipient(s) or categories of recipients that the data is/will be disclosed to.
    • How long the data will be stored.
    • Details of your rights to correct, erase, restrict or object to such processing.
    • Information about your right to withdraw consent at any time.
    • Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter a contract, as well as whether you obliged to provide the personal data and the possible consequences of failing to provide such data.
    • The source of personal data if it was not collected directly from you.
    • Any details and information of automated decision making, such as profiling, and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing.

    A subject access request can be verbal, in writing or by social media. If possible please send it by email to dpo@epilepsy.org.uk. To support your request, Epilepsy Action also requires ID and will accept the following forms when information on your personal data is requested: a copy of your driving licence, passport, birth certificate and a utility bill not older than three months.

    If the request is unfounded or excessive we may charge a reasonable administration fee to provide the information, refuse to comply with the request or limit the amount of data provided.

    In most cases, we will process your data subject access request within 30 days. We may need to extend this period for particularly complex requests or if the relevant ID is not provided.

  • 21. Changing your communication preferences

    You can change your communication preferences at any time. You can choose whether we contact you by mail, telephone, email or text message.

    You can also choose whether you receive information on certain activities of Epilepsy Action, such as appeals, campaigns and raffles. Just contact us by phone on 0113 210 8800, in writing or by email to dpo@epilepsy.org.uk or visit our contact page.
     

  • 22. Complaints

    If you wish to make a complaint about how your personal data is being processed by Epilepsy Action you have the right to complain to us. If you do not get a response within 30 days, you can complain to the ICO.

    For a more detailed list of what information we collect and how it is used you can visit the Information Commissioner’s Office (ICO) website and view our registry entry.

    ICO, Wycliffe House, Water Lane, Wilmslow, SK9 5AF

    Telephone +44 (0) 303 123 1113 or email here.

    Our ICO registration number is Z4605447.