Privacy Policy - Edinburgh Children’s Hospital Charity

Privacy Policy

This privacy notice explains what information Edinburgh Children’s Hospital Charity (ECHC) collects about you, what we might use it for and how we keep it safe.  It also gives information about your rights in relation to the data we hold about you. 

Edinburgh Children’s Hospital Charity relies on the generous support that individuals and businesses provide us, to continue offering services to meet our vision of ‘Child First, Patient Second’ for all children and young people accessing healthcare services in our region.

We are extremely grateful for your support and are committed to protecting your personal data and using it fairly and transparently to ensure long, rewarding relationships for us all.  By providing us with your personal data, you consent to its collection and use as set out in this privacy notice.

We will implement appropriate technical and organisational measures to ensure we are able to demonstrate that we are processing data in accordance with the General Data Protection Regulations (2016). 

This privacy notice includes information about:  

  1. What personal data we collect about you and where we get it from 
  2. What we do with your data 
  3. How we look after your data 
  4. Your rights 
  5. How to contact us  
  6. How to find out more or report a concern 
  7. Specific information for:
    Grant Applicants
    b. Volunteer & Job Applicants 
  8. Our Cookie Policy & Hotjar  
  9. Changes to our privacy notice 

1. What personal data we collect about you & where we get it from

ECHC may collect and process a range of information about you.  We will only collect data that is appropriate for what we plan to use it for, this may consist of: 

  • your title, name, gender and date of birth; 
  • address and contact details, including email address and telephone number;
  • your contact preferences; 
  • business contact details, including address, telephone number and emails of relevant staff members;
  • dietary requirements (if you are attending one of our events); 
  • health information if relevant to protect your safety (such as allergies, special assistance required); 
  • your relationship to other individuals or organisations who support us;
  • connections you have to regional healthcare services, and your motivations for supporting us; 
  • gift aid status, and a record of donations; 
  • information about you, that is publicly available (eg. on Companies House, LinkedIn etc.); 
  • bank or credit/debit card details to process payments/donations.  We do not store this information unless you are a regular donor, and we need to process payments on a regular basis. 

We collect this information in the following ways: 

Information provided by you

Most of the information we hold has been collected from you.  When you complete a form, either in person or online, when you take part in an event, register with us for a mailing list, make a donation, or apply to become a volunteer you share your information with us and give consent for us to contact you.  We also collect information from you to meet contractual needs if you are a business/organisation working with us or supporting us. 

Information from our suppliers / third parties 

We may get information about you from relevant independent third party organisations such as fundraising sites like JustGiving, and event organisers for example Edinburgh Marathon, especially if you have noted that you will be raising funds for us.   

ECHC are not responsible for how third parties manage the data they collect, you should check their privacy notices to understand how they will process your data.  If your data is collected by a third party company, their privacy notices apply, and when it is passed to us, our privacy notice also takes effect.   

Information in the Public Domain 

We may obtain some information from publicly available sources, such as newspaper articles, Companies House, and social media websites (ie. Facebook, LinkedIn).   

Information from your use of our website and services 

We use data analytic software to learn about how people interact with our website and social media services, however we do not collect personal data about you in this way. 

2. What we do with your data

With the data that we collect, either from yourself, third parties, or from the public domain, we will mainly:

  • Make sure we know how you prefer to be contacted;
  • Update or erase it if you tell us to;
  • Provide you with the products, services or information that you have requested;
  • Provide you with other information that we think might be of interest to you, ie. newsletters, details of our current campaigns, updates on the services we deliver;
  • Invite you to our events;
  • Support you with your fundraising, including sharing information with you that might be of interest;
  • Process donation payments, and administer gift aid;
  • Send you surveys/questionnaires to ensure the information we are providing is relevant and interesting;
  • Keep a record of your relationship with us, and note the contact we have with you;
  • Work with third parties to profile and analyse our supporters to ensure we have sufficient information to be able to tailor our communications with you and identify appropriate philanthropic opportunities.

Our legal bases for processing your data

When you complete a form either on our website or at an event (eg. a ‘contact me’ form, photo consent form, or volunteer registration form), you opt in and give us consent to contact you, or use your data for the clearly specified purpose. You can opt out at any time, for any reason, by emailing us (see section 5. ‘How to contact us’ for other ways to get in touch).

If we have a contract with you, we will hold sufficient data to enable us to meet the obligations of the contract.

ECHC needs to process data to ensure that it is complying with its legal obligations. For example, maintaining an accurate audit trail, and complying with HMRC requirements when claiming Gift Aid on your donation.

We will use your data if it is in your vital interest, for example, if you have informed us that you have a health condition, and you require emergency treatment when attending one of our activities.

To allow us to continue providing our services and meet our objectives, we may process your data in accordance with legitimate interest regulations. We make sure your rights under data protection law are upheld by considering whether our use of your data will have any potential impact on you. Examples of when legitimate interest data processing may be used by us:

  • Direct marketing – to further the aims and objectives of ECHC. We may contract a third party to assist with large mailing campaigns;
  • Profiling and analysing – to help us understand our supporters and potential supporters, including gathering publicly available information to give an insight into philanthropic interests, and ability to support our aims, which in turn enables us to tailor our communications. We may contract a third party to assist with wealth screening;
  • See below ‘Who we might share data with’ for more information on using third parties;
  • If we are using your data for a legitimate interest, you are free to opt out at any time.

Who we might share data with

We are committed to protecting your personal data, and therefore we will never sell your information to anyone. We will only share it with organisations who are acting on our behalf (processors) with a formal agreement.

Your information may be shared internally, including with members of the senior management team, our Board of Trustees, and administrative staff and IT staff, if access to the data is necessary for the performance of their roles.

If you apply for a job with us, or to be a volunteer, we will share your data where appropriate with third parties in order to obtain necessary criminal records checks from Disclosure Scotland via the organisation Volunteer Development Scotland. In those circumstances the data will be subject to confidentiality arrangements, and you will have consented for this to happen.

We will share your data with event organisers where necessary to inform them of contact details, dietary and health needs, and information which enables them to deliver the event safely and in line with our instructions.

We might share your data to third party companies such as a direct mailing company to assist us in sending out newsletters or other promotional materials.

We might share your data to wealth screening companies if we instruct them to collect further information about our supporters (eg. philanthropic history and biographical information such as directorships and career history).

When we contract a third party company to process your data, we will ensure they keep your data safe, and only process it in line with our request. Under GDPR rules they are not permitted to share your data onwards without our permission, nor use it for reasons other than what we have instructed them to do.

3. How we look after your data

Storing your data securely 

ECHC takes the security of your data seriously.  We store supporter data in a restricted secure database, which is accessible only by staff members who have a legitimate reason to have access to it.   

Where ECHC engages third parties to process personal data on our behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data in line with GDPR regulations. 

In the unlikely event that we engage a third party company outside of the European Economic Area (EEA) to process data, we will check that they will look after your data to the same standards that we (and you) expect of ourselves, and have an agreement in place to support this.  If we are unsure how your data will be managed by any third party (either within or out of the EEA) we will not share your data to them. 

How long does ECHC keep your data?  

We will keep your data for as long as you are happy to hear from us, or as long as is necessary for the relevant activity.  We will give you the opportunity to opt out of our communications or change your contact preferences regularly, and you can email us at any time (See Section 5. How to contact us for other ways to get in touch). 

If you have made a donation, but opt out of our communications, in accordance with HMRC requirements we will hold your personal data for a maximum of seven years after your last donation unless there is a legal requirement for us to retain it longer. 

If you ask us to stop contacting you, we will need to keep some basic details so that we can comply with your request. We will not keep information that we do not need. 

Our IT systems are backed up regularly, these backups are kept for a period of at least 12 months.  If you have requested that your data is deleted, it may remain on our backups to retain the integrity of the backup, but would not be accessed or processed, even if the backup is recovered for other reasons. 

Keeping your data accurate. 

We keep our database up to date whenever we hear from you about changes to your personal data, or if we get one of the communications we have sent to you returned.   We regularly review all of our data, and may contract a 3rd party company to assist us with this, by checking Royal Mail movers lists and other sources of public information. 

4. Your rights

You have a number of rights with regards to your data. You can: 

  • access and obtain a copy of your data on request.  You will be asked to prove your identify before we supply you with a copy of your data.  You will not be charged for the copy of your data, unless the request is repetitive, or felt to be excessive; 
  • require ECHC to change incorrect or incomplete data; 
  • require ECHC to delete or stop using your data, for example where the data is no longer necessary for the purposes of processing; and 
  • object to the processing of your data where ECHC is relying on its legitimate interests as the legal ground for processing. 

For more information about your rights, you can look at the Information Commissioner’s Office website (see section ‘How to find out more’ below) or get in touch with us. 

5. How to contact us

Data Controller : Edinburgh Children’s Hospital Charity, and its subsidiary, Task Trading Ltd 

ICO Registration reference: Z1856552

If you have any questions about how we process your personal data, or you would like to exercise any of your rights, please get in touch with our Data Protection Team using the details below.  We will respond as soon as we can, this will always be within 28 days from when we receive your request. 

Email :  

Post :
My Data, c/o Data Protection Team
Finance and Operations
Edinburgh Children’s Hospital Charity
1st Floor, 1 Wester Shawfair
EH22 1FD

Telephone : 0131 668 4949 

6. How to find out more or report a concern

If you want to find out more about the General Data Protection Regulations (2016), you can contact the Information Commissioner’s Office (ICO) via their website

The ICO is the UK’s independent body setup to uphold information rights.

If you believe that ECHC has not looked after your data in line with current legislation, you can report a concern to the ICO at the following website: 

7. Specific information relating to grant applicants and volunteer/job applicants

a. Grant Applicants 

To enable us to process grant applications, ECHC may collect and process a range of information about you as detailed in this privacy notice.  We will also store details about what you are applying for, the outcome of your grant application, and bank details if we are required to send payments to you. 

We may contact you during and after the end of the relationship to discuss the grant, send evaluation forms to assess the benefits derived from funding, or contact you to request you present information about the grant to promote the programme. 

ECHC will hold your personal data for a maximum of seven years after your application, or after the end of the grant benefit period, unless there is a legal requirement for us to retain it longer. 

All other details documented in this privacy policy, including your rights, apply. 

b. Volunteer & Job Applicants 

As part of our recruitment process, ECHC may collect and process a range of information about you as detailed in this privacy notice.  We may also gather information about: 

  • what position you are applying for; 
  • your qualifications, skills, experience and employment history; 
  • information about your current level of renumeration, including benefit entitlements (for job applicants); 
  • whether or not you have a disability for which the organisation may need to make reasonable adjustments during the recruitment process; 
  • information about your entitlement to work in the UK. 

This data will be collected from a variety of sources, eg. application forms, CVs or resumes, your passport or other identity documents, or collected through interviews or other forms of assessment, including online tests.  We may also collect personal data about you from third parties, such as references supplied by former employers, information from employment background check providers and information from criminal records checks.  We will seek information from third parties only once an offer to you has been made and we will inform you that we are doing so. 

ECHC needs to process data prior to entering into a contract with you, and to ensure we are complying with our legal obligations (for example, to check a successful applicant’s eligibility to work in the UK before employment/volunteering starts). 

ECHC has a legitimate interest in processing personal data during the recruitment process and for keeping records of the process. Processing data from applicants allows us to manage the recruitment process, assess and confirm a candidate’s suitability for the position, and to decide whether we offer a position to you.  ECHC may also need to process data from job applicants to respond to and defend against legal claims. 

We may process special categories of data, such as information about ethnic origin, sexual orientation or religion or belief, to monitor recruitment statistics.  We may also collect information about whether or not applicants are disabled to make reasonable adjustments for candidates who have a disability.  ECHC processes such information to carry out our obligations and exercise specific rights in relation to employment. 

For some roles, ECHC is obliged to seek information about criminal convictions and offences. Where ECHC seeks this information, we do so because it is necessary for us to carry out our obligations and exercise specific rights in relation to employment. 

ECHC will not use your data for any purpose other than the recruitment into the post for which you have applied, your information may be shared internally for the purposes of the recruitment process. This includes members of HR, the recruitment/volunteering team, interviewers involved in the recruitment process, managers in the business area with a vacancy and IT staff if access to the data is necessary for the performance of their roles. 

ECHC will not share your data with third parties, unless your application for employment is successful and it makes you an offer of employment.  We will then share your data with former employers to obtain references for you, employment background-check providers to obtain necessary background checks and Disclosure Scotland via Volunteer Development Scotland to obtain necessary criminal records checks. 

If your application for employment is unsuccessful, we will hold your data on file for the recommended retention period of one year (as per CIPD guidance) after the end of the recruitment process.  At the end of that period (or once you withdraw your consent), your data is deleted or destroyed. 

If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel/volunteer file and retained during your employment. The periods for which your data will be held will be provided to you in our data protection policy. 

You are under no statutory or contractual obligation to provide data to ECHC during the recruitment process, however, if you do not provide the information, we may not be able to process your application. 

All other details documented in this policy, including your rights, apply. 

8. Our cookie & Hotjar policy

This web site uses cookies. Cookies are small text files that are sent by web servers and stored on visitors computers so they can be read back later, a convenient way of allowing a computer to remember specific information relating to a web site and provide a better user experience. 

The cookies we use on this site are ‘analytical’ cookies, created by Google Analytics. These cookies are unobtrusive and allow both the web site to function and for us to obtain information about the usage of our site, viewing data such as the number of visits, duration of each visit and path taken by the user around the site. This allows us to monitor and improve the way our web site works by, for example, making sure users can easily find what they are looking for. 


We use Hotjar in order to better understand our users’ needs and to optimise this service and experience. Hotjar is a technology service that helps us better understand our users’ experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behaviour and their devices. This includes a device’s IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Hotjar stores this information on our behalf in a pseudonymised user profile. Hotjar is contractually forbidden to sell any of the data collected on our behalf.

For further details, please see the `about Hotjar’ section of Hotjar’s support site. 

9. Changes to our privacy policy

If we change our privacy notice, we will post an update here to inform you about what is changing, and when.  We encourage you to periodically visit this page to review our most current policy.

If we feel the changes are significant, we will inform you via a newsletter, email or other direct contact method.

If you would like to know more about our data protection policies, please get in touch.

This privacy notice is dated 23rd March 2023.