This privacy notice explains what information Edinburgh Children’s Hospital Charity (ECHC) collects about you, what we might use it for and how we keep it safe. It also gives information about your rights in relation to the data we hold about you.
Edinburgh Children’s Hospital Charity relies on the generous support that individuals and businesses provide us, to continue offering services to meet our vision of ‘Child First, Patient Second’ for all children and young people accessing healthcare services in our region.
We are extremely grateful for your support and are committed to protecting your personal data and using it fairly and transparently to ensure long, rewarding relationships for us all. By providing us with your personal data, you consent to its collection and use as set out in this privacy notice.
We will implement appropriate technical and organisational measures to ensure we are able to demonstrate that we are processing data in accordance with the General Data Protection Regulations (2016).
This privacy notice includes information about:
ECHC may collect and process a range of information about you. We will only collect data that is appropriate for what we plan to use it for, this may consist of:
We collect this information in the following ways:
Information provided by you
Most of the information we hold has been collected from you. When you complete a form, either in person or online, when you take part in an event, register with us for a mailing list, make a donation, or apply to become a volunteer you share your information with us and give consent for us to contact you. We also collect information from you to meet contractual needs if you are a business/organisation working with us or supporting us.
Information from our suppliers / third parties
We may get information about you from relevant independent third party organisations such as GPs and other healthcare providers, fundraising sites like JustGiving, and event organisers for example Edinburgh Marathon, especially if you have noted that you will be raising funds for us.
ECHC are not responsible for how third parties manage the data they collect, you should check their privacy notices to understand how they will process your data. If your data is collected by a third party company, their privacy notices apply, and when it is passed to us, our privacy notice also takes effect.
Information in the Public Domain
We may obtain some information from publicly available sources, such as newspaper articles, Companies House, and social media websites (ie. Facebook, LinkedIn).
Information from your use of our website and services
We use data analytic software to learn about how people interact with our website and social media services, however we do not collect personal data about you in this way.
With the data that we collect, either from yourself, third parties, or from the public domain, we will mainly:
Our lawful bases for processing your data
When you complete a form either on our website or at an event (eg. a ‘contact me’ form, photo consent form, or volunteer registration form), you opt in and give us consent to contact you, or use your data for the clearly specified purpose. You can opt out at any time, for any reason, by emailing us (see section 5. ‘How to contact us’ for other ways to get in touch).
If we have a contract with you, we will hold sufficient data to enable us to meet the obligations of the contract.
ECHC needs to process data to ensure that it is complying with its legal obligations. For example, maintaining an accurate audit trail, and complying with HMRC requirements when claiming Gift Aid on your donation.
We will use your data if it is in your vital interest, for example, if you have informed us that you have a health condition, and you require emergency treatment when attending one of our activities, or if we believe there is a risk of harm to yourself, others or property.
To allow us to continue providing our services and meet our objectives, we may process your data in accordance with legitimate interest regulations. We make sure your rights under data protection law are upheld by considering whether our use of your data will have any potential impact on you. Examples of when legitimate interest data processing may be used by us:
Who we might share data with
We are committed to protecting your personal data, and therefore we will never sell your information to anyone. We will only share it with organisations who are acting on our behalf (processors) with a formal agreement.
Your information may be shared internally, including with members of the senior management team, our Board of Trustees, and administrative staff and IT staff, if access to the data is necessary for the performance of their roles.
If you apply for a job with us, or to be a volunteer, we will share your data where appropriate with third parties in order to obtain necessary criminal records checks from Disclosure Scotland via the organisation Volunteer Development Scotland. In those circumstances the data will be subject to confidentiality arrangements, and you will have consented for this to happen.
We will share your data to comply with requests where it is required by law, for example to the government for tax purposes, or to law enforcement agencies for the prevention and detection of crime.
We will share your information with other healthcare providers/emergency services if we think there is a risk of serious harm or abuse to you, others or property.
We will share your data with event organisers where necessary to inform them of contact details, dietary and health needs, and information which enables them to deliver the event safely and in line with our instructions.
If you are accessing our services at The Hub or The Haven, we might share your data to other charities and organisations if we feel they can provide additional support to you or your family. We will always discuss this with you first, and only share your details if you agree to it.
We may use your data for monitoring and evaluation purposes. This helps us to understand and improve the services we deliver. Once anonymised, this data may also be used in reports, presentations, marketing materials and any other relevant documentation.
For some projects we may use an external consultant or evaluator to independently verify the success or impact of our work which will entail sharing the data we collect but this will also be anonymised.
We might share your data to third party companies such as a direct mailing company to assist us in sending out newsletters or other promotional materials.
We might share your data to wealth screening companies if we instruct them to collect further information about our supporters (eg. philanthropic history and biographical information such as directorships and career history).
When we contract a third party company to process your data, we will ensure they keep your data safe, and only process it in line with our request. Under GDPR rules they are not permitted to share your data onwards without our permission, nor use it for reasons other than what we have instructed them to do.
Storing your data securely
ECHC takes the security of your data seriously. We store supporter and service user data in a restricted secure database, which is accessible only by staff members who have a legitimate reason to have access to it.
Where ECHC engages third parties to process personal data on our behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data in line with GDPR regulations.
In the unlikely event that we engage a third party company outside of the European Economic Area (EEA) to process data, we will check that they will look after your data to the same standards that we (and you) expect of ourselves, and have an agreement in place to support this. If we are unsure how your data will be managed by any third party (either within or out of the EEA) we will not share your data to them.
How long does ECHC keep your data?
We will keep your data for as long as you are happy to hear from us, or as long as is necessary for the relevant activity. We will give you the opportunity to opt out of our communications or change your contact preferences regularly, and you can email us at any time (See Section 5. How to contact us for other ways to get in touch).
If you are using our services at The Haven or The Hub, we will keep your personal data for as long as you are accessing our services, and at least two years afterwards. We will only keep it for longer if we have a legitimate reason to do so.
If you have made a donation, but opt out of our communications, in accordance with HMRC requirements we will hold your personal data for a maximum of seven years after your last donation unless there is a legal requirement for us to retain it longer.
If you ask us to stop contacting you, we will need to keep some basic details so that we can comply with your request. We will not keep information that we do not need.
Our IT systems are backed up regularly, these backups are kept for a period of at least 12 months. If you have requested that your data is deleted, it may remain on our backups to retain the integrity of the backup, but would not be accessed or processed, even if the backup is recovered for other reasons.
Keeping your data accurate.
We keep our database up to date whenever we hear from you about changes to your personal data, or if we get one of the communications we have sent to you returned. We regularly review all of our data, and may contract a 3rd party company to assist us with this, by checking Royal Mail movers lists and other sources of public information.
You have a number of rights with regards to your data. You can:
For more information about your rights, you can look at the Information Commissioner’s Office website (see section ‘How to find out more’ below) or get in touch with us.
Data Controller : Edinburgh Children’s Hospital Charity, and its subsidiary, Task Trading Ltd
ICO Registration reference: Z1856552
If you have any questions about how we process your personal data, or you would like to exercise any of your rights, please get in touch with our Data Protection Team using the details below. We will respond as soon as we can, this will always be within 28 days from when we receive your request.
Email : Mydata@echcharity.org
Post :
My Data, c/o Data Protection Team
Finance and Operations
Edinburgh Children’s Hospital Charity
c/o RHCYP and DCN Building
50 Little France Crescent
Edinburgh
EH16 4TJ
Telephone : 0131 668 4949
If you want to find out more about the General Data Protection Regulations (2016), you can contact the Information Commissioner’s Office (ICO) via their website www.ico.org.uk
The ICO is the UK’s independent body setup to uphold information rights.
If you believe that ECHC has not looked after your data in line with current legislation, you can report a concern to the ICO at the following website: https://ico.org.uk/make-a-complaint/
a. Grant Applicants
To enable us to process grant applications, ECHC may collect and process a range of information about you as detailed in this privacy notice. We will also store details about what you are applying for, the outcome of your grant application, and bank details if we are required to send payments to you.
We may contact you during and after the end of the relationship to discuss the grant, send evaluation forms to assess the benefits derived from funding, or contact you to request you present information about the grant to promote the programme.
ECHC will hold your personal data for a maximum of seven years after your application, or after the end of the grant benefit period, unless there is a legal requirement for us to retain it longer.
All other details documented in this privacy policy, including your rights, apply.
b. Volunteer & Job Applicants
As part of our recruitment process, ECHC may collect and process a range of information about you as detailed in this privacy notice. We may also gather information about:
This data will be collected from a variety of sources, eg. application forms, CVs or resumes, your passport or other identity documents, or collected through interviews or other forms of assessment, including online tests. We may also collect personal data about you from third parties, such as references supplied by former employers, information from employment background check providers and information from criminal records checks. We will seek information from third parties only once an offer to you has been made and we will inform you that we are doing so.
ECHC needs to process data prior to entering into a contract with you, and to ensure we are complying with our legal obligations (for example, to check a successful applicant’s eligibility to work in the UK before employment/volunteering starts).
ECHC has a legitimate interest in processing personal data during the recruitment process and for keeping records of the process. Processing data from applicants allows us to manage the recruitment process, assess and confirm a candidate’s suitability for the position, and to decide whether we offer a position to you. ECHC may also need to process data from job applicants to respond to and defend against legal claims.
We may process special categories of data, such as information about ethnic origin, sexual orientation or religion or belief, to monitor recruitment statistics. We may also collect information about whether or not applicants are disabled to make reasonable adjustments for candidates who have a disability. ECHC processes such information to carry out our obligations and exercise specific rights in relation to employment.
For some roles, ECHC is obliged to seek information about criminal convictions and offences. Where ECHC seeks this information, we do so because it is necessary for us to carry out our obligations and exercise specific rights in relation to employment.
ECHC will not use your data for any purpose other than the recruitment into the post for which you have applied, your information may be shared internally for the purposes of the recruitment process. This includes members of HR, the recruitment/volunteering team, interviewers involved in the recruitment process, managers in the business area with a vacancy and IT staff if access to the data is necessary for the performance of their roles.
ECHC will not share your data with third parties, unless your application for employment is successful and it makes you an offer of employment. We will then share your data with former employers to obtain references for you, employment background-check providers to obtain necessary background checks and Disclosure Scotland via Volunteer Development Scotland to obtain necessary criminal records checks.
If your application for employment is unsuccessful, we will hold your data on file for the recommended retention period of one year (as per CIPD guidance) after the end of the recruitment process. At the end of that period (or once you withdraw your consent), your data is deleted or destroyed.
If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel/volunteer file and retained during your employment. The periods for which your data will be held will be provided to you in our data protection policy.
You are under no statutory or contractual obligation to provide data to ECHC during the recruitment process, however, if you do not provide the information, we may not be able to process your application.
All other details documented in this policy, including your rights, apply.
This web site uses cookies. Cookies are small text files that are sent by web servers and stored on visitors computers so they can be read back later, a convenient way of allowing a computer to remember specific information relating to a web site and provide a better user experience.
The cookies we use on this site are ‘analytical’ cookies, created by Google Analytics. These cookies are unobtrusive and allow both the web site to function and for us to obtain information about the usage of our site, viewing data such as the number of visits, duration of each visit and path taken by the user around the site. This allows us to monitor and improve the way our web site works by, for example, making sure users can easily find what they are looking for.
Hotjar
We use Hotjar in order to better understand our users’ needs and to optimise this service and experience. Hotjar is a technology service that helps us better understand our users’ experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behaviour and their devices. This includes a device’s IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Hotjar stores this information on our behalf in a pseudonymised user profile. Hotjar is contractually forbidden to sell any of the data collected on our behalf.
For further details, please see the `about Hotjar’ section of Hotjar’s support site.
If we change our privacy notice, we will post an update here to inform you about what is changing, and when. We encourage you to periodically visit this page to review our most current policy.
If we feel the changes are significant, we will inform you via a newsletter, email or other direct contact method.
If you would like to know more about our data protection policies, please get in touch.
This privacy notice is dated 23rd March 2023.
29th June 2023: Minor change – Legal bases to Lawful bases
20th September 2023: Minor wording changes to include information for users of our new service at The Haven.
Addition of statements relating to the use of personal data to verify the success/impact of our services.
17th July 2024: Change to mailing address