Hello, we’re the National Society for the Prevention of Cruelty to Children, though you probably know us as the NSPCC. We're the leading children's charity fighting to end child abuse in the UK, Channel Islands and Isle of Man. We help children who have been abused to rebuild their lives, protect those at risk, and find the best ways of preventing abuse from ever happening.
Safety is at the heart of everything we do. Our mission is to keep children safe across the UK – it’s what drives all our work. But, as one of our valued supporters, service users or affiliates that also extends to keeping your personal information safe. At the NSPCC we value anyone who comes into contact with us and we’re committed to protecting your privacy so we make sure we protect any of your personal data that we have.
The NSPCC is registered under the Data Protection Act 2018 under number Z6593104 and for the purposes of this policy is the Data Controller. Our registered charity numbers are 216401 in England and Wales and SC037717 in Scotland. The NSPCC Trading Company Ltd. (registered Company in England & Wales no. 890446) is a wholly owned subsidiary of ours which trades on our behalf. We have appointed a DPO at DPO Centre Limited, 50 Liverpool St, London EC2M 7PY
Below we have answered a range of questions to help you better understand how we protect your personal information.
This policy was last updated on 21 January 2020.
Personal information is any information that can be used to identify you. So for example, if you donate money, use our services, request our products, or become involved in our campaigns or volunteering work, we will collect and process the personal information that you’ve provided.
We may also collect information from you when you report a problem with our website, if you complete a survey which we use for research or evaluation purposes, or if you give us your details as part of a report to our Helpline.
This personal information may include
- Basic personal details (your name, email address, postal address, telephone or mobile number and date of birth)
- Financial details (bank account number, UK tax payer information for gift aid)
- Credit or debit card information
- IP address
- Photos, videos or audio recordings used as part of our work with you
- CCTV which is in use at various NSPCC sites.
In certain circumstances we will process special category data, for example if you're involved with any of our service provisions, to help ensure our work respects your needs. This might include:
- Ethnic origin
- Sexual orientation
- Sex life
We may also collect details of your visits to our website, for example location data, how you found us and the resources accessed on our website. We use this to provide you with the information, services or products that you’re interested in and are most relevant to you.
To understand how we use information about the communications devices you use, such as IP address (the location of the computer on the internet) and cookies, please see our Cookies policy page.
There are a number of ways that we may use your personal information, all to help us provide the most relevant and personalised service for you. The following are some of the ways we use your personal information for our core activities:
- To provide you with information (such as fundraising or campaigning activities), services or products you’ve requested or which we feel may interest you. When you interact with an email sent from the NSPCC, such as opening an email or clicking on a particular we link, we will receive information about that interaction. We use this information to ensure that we understand how our campaigns are being received, as well as to ensure that we continue to act in accordance with how you've chosen to hear from us. We may also permit selected third parties to provide you with information on our behalf. But all this will only happen when you’ve consented to this. For more information, please see “Sharing your information with third parties” below.
- To provide key services for safeguarding of children as part of children’s and national services. This could include the collection of ethnicity and health data. This helps us ensure that we are able to effectively assess the needs of all individuals so that we can work with the most appropriate agencies, and ensures that our services reach the right people.
- To enable us to support you in our work with you. Sometimes we may use mobile phones, cameras or laptops for filming, voice recording or slideshows as part of our work with you. These may be used to improve your relationships or help you understand our work better, and may also be used to help our workers learn how to support you better
- To evaluate and improve our fundraising activities as well as the services we provide to children and families. This could be analysing demographics to inform our campaign, marketing and service provision strategies. This helps us ensure we understand how effective our services are and ensures we spend our charitable donations in the most effective way. If you start using an NSPCC service, we may continue to use your data for evaluation purposes, but this will be in statistical form and will not identify you as an individual.
- To analyse and improve the services offered on our websites. This means we can provide you with the most user-friendly navigation experience we can, which may involve providing your information to third parties.
- To allow you to participate in interactive features on our website, when you choose to do so. For example, we may help you auto-complete forms by inserting your contact details for you to edit.
- To use your IP addresses to identify relevant information. This may include information such as your approximate location. It also helps us to block disruptive use or establish information like the number of visits to the website from different countries.
- To make our marketing campaigns more targeted and relevant to potential donors and customers.
- To record and respond to any compliments, comments or complaints from supporters or service users and to appropriately investigate and implement necessary changes. All feedback helps us to learn and to improve what we do. For more information please read our Compliments, Comments and Complaints policy.
- To conduct prospect research. For more information please see the Prospect research section below.
- To promote our activities. Where you have given us your consent we may use photos of you, or testimonials, for promotional activities and communications.
- To match information collected from you through different means or at different times. That could include using information collected online and offline, along with information obtained from other sources, including third parties and publicly available sources, to ensure that the information we hold about you is up to date and accurate. These include third parties such as BT OSIS, Post Office Address File and Experian Quick Address.
- To assess your suitability for a role at the NSPCC as an employee or a volunteer. This may involve conducting internal searches against our database as part of the application process.
- To protect staff and visitors to NSPCC sites.To protect staff, visitors and to protect the organisation against theft, some sites will have CCTV installed.
Some of these activities may also involve ‘automated decision-making’. However, you have the right to object to the use of your personal information for profiling and automated decision-making processes. For information on how to exercise these rights, please see the section on ‘Your Rights’ below.
If you do not want us to use your data for direct marketing purposes you can contact our Supporter Care team. Please see "How will we contact you?" below.
Our researchers use personal data, including sensitive personal data, in their research activities. This might include research such as evaluating our services such as Speak Out Stay Safe or commissioning research to help us understand what parents of disabled children want to help keep their children safe from sexual abuse. Research allows us to ensure our services, programmes and campaigns support children and families as effectively as possible, effectively scale up our services, and identify additional areas for research, campaigns and programme development. We don't seek consent to use your personal data for this purpose, but rely on legitimate interests as our lawful basis. For our research activities, we ensure that we have conducted an assessment to ensure that our interests as a charity have not outweighed your rights and freedoms as an individual.
We conduct prospect research to identify new potential donors and existing supporters who may be interested in supporting the NSPCC with a major gift. In certain circumstances, this means that we might collect or supplement your personal data to understand whether it is appropriate to take such an approach. To help us make these decisions, we have developed a scoring system that we use to calculate how likely a person is to donate a major gift, and the level of support they could provide. This enables us to prioritise our resources and ensure that the funding proposals that we develop are appropriately tailored as we seek to generate support for ending child abuse.
We only use information from credible sources in the public domain, and we never use third parties to conduct research on our behalf. We do not seek consent to conduct this research, but rely on legitimate interest as our lawful basis. If we do conduct research on you we will notify you at the first available opportunity so that you have the opportunity to view the information we have collected along with any score that we have applied to your record and request its deletion. If we cannot notify you within six months then we will remove this information ourselves.
Data Protection law requires us to have a reason or justification, also known as a ‘lawful basis’, for using any of your personal data:
This is where we've asked for your permission to use your personal data in a specific way, and you've agreed. For example to send you marketing via email or SMS.
We may process your personal data as part of an agreement you have with us. For example if you work for us or if you purchase something from our online shop.
We may collect or share your personal data where we are required to do so by law. For example to fulfil a regulatory requirement or for fraud detection.
Where there's an immediate risk to your health we may use your personal data. For example if we're concerned for your health or safety at one of our fundraising events.
Some activities are undertaken in the public interest. For example collecting personal information in relation to concerns raised via the NSPCC Helpline.
Our legitimate interest is in engaging with the public to further our charitable aims.
Whenever we use this justification we will always conduct a balancing exercise to ensure that we consider the impact on you as an individual to ensure that our interests are not overridden by the impact on you. Some examples of activities where we rely on legitimate interests are:
- Sending you direct marketing via post;
- Conducting research to better understand our supporters and improve the services we offer to families;
- The use of CCTV in certain NSPCC offices for monitoring and security purposes;
- Sharing personal information amongst relevant teams within the NSPCC to ensure we communicate with our supporters in the most effective way;
- Purchasing marketing lists to promote our professional services via email to those who work directly or indirectly with children and young people;
- Handling any compliments or complaints in line with our policy.
We will not rent or sell your personal information to other organisations for use by them in any way, including in their own direct marketing activities.
Sometimes we cannot keep information confidential as we need to ensure all children, young people and vulnerable adults are safe. This means that if you tell us anything about yourself or another person being hurt or at risk of being hurt we might need to tell someone who can help (such as a social worker, parent or teacher). Sometimes the court might order us to share information and you might ask us to share information on your behalf.
If your local authority or another agency, such as your school or the police, have asked us to work with you we will need to gain information from them about you and share information with them and then we will need to let them know the outcome of our work. We will tell you who we are sharing your information with and why, unless it is a concern as mentioned above or we do not think it is safe to do so.
Sometimes we might want to tell your carer, social worker or someone else about how things are going while you are working with us, but we will always check this out with you first, unless we think it is not safe to do so.
We may ask you to complete a checklist which we send to another organisation, once we have removed any information that could identify you, and they provide us with a report to help us understand what will help you best.
However, where you have given us permission to contact you, we may pass on your information to external service providers to contact you on our behalf. For example, we may pass on your personal information to telemarketing companies such as DTV Optimise or Mango to conduct campaigns on our behalf.
We may ask external service providers to carry out tracking and analysis on our behalf as described in the cookies policy. For instance, we may pass on hashed out digital data (such as IP addresses) to our media agency OMD to monitor how well our campaigns are performing.
Where we use an external service provider to act on our behalf, we will disclose only the personal information necessary to deliver the service and will have a contract in place that requires the provider to comply with NSPCC data protection and information security requirements.
We always have your best interests at heart and your personal information will not be retained by the NSPCC for longer than necessary in relation to the purposes for which it was originally collected, or for which it was further processed.
We're legally required to hold some personal information to fulfil statutory obligations. For example the collection of Gift Aid or to support certain financial transactions. We may be asked to keep records for longer periods or receive statutory instruction not to delete records.
If you've used any of our services supporting children and families, for example Baby Steps or Letting the Future In, we will make notes of the work we do. We will keep these notes for 25 or 75 years depending on the nature of our work and your circumstances. For more information, or to request a copy of our data retention policy, please contact our Data Protection team at firstname.lastname@example.org.
Additionally the NSPCC may pass on your personal information to online advertising tools, including Facebook Custom audiences, Google Adwords Match and Google Analytics to carry out ‘remarketing activities’ . This means that if you’ve already visited our website we can direct you back to it through ads shown on sites across the internet by third-party vendors, including Google and Facebook.
We want to ensure that we provide you with information that is relevant to you. In order to do this, we may need to analyse the information we hold on you for supporter analysis and data quality purposes. This analysis includes modelling (e.g. how likely you are to respond to the invitation) and segmenting (looking at people who are similar to you), so that you receive targeted and relevant communication.
This ensures we can spend our charitable donations effectively to obtain the biggest impact for children. Additionally, as our data is captured from various different sources (e.g. donation or through our website, campaign data), for data quality purposes we will analyse your data to ensure we do not have unnecessary multiple versions of information on the same person on our database.
In carrying out the above activities, we may from time to time use publicly available information or information gathered from specialist companies. These include Directory of Social Change and UKChanges; companies that collate and analyse information from public registers to help ensure we have accurate and up to date information about our supporters. These companies may have obtained this information directly from you and in circumstances where you legitimately expect that they will pass on your information to other entities.
We will only use data collected in this manner for purposes to which you have consented or, if this is not reasonably practical, where we believe it is reasonably necessary to process your personal information for the purposes for which it has been provided. Throughout all of this we will always ensure that the privacy and security of your personal information is protected.
The NSPCC will ensure that when collecting information such as debit cards, credit cards or personal information that this done so securely. We and our partners use TLS (Transport Level Security) to encrypt data sent between the customer and us or our partners.
The NSPCC is PCI compliant and uses external Payment Card Industry (PCI) compliant providers to collect this data on our behalf. We do not store PCI data on our own systems.
To protect yourself when sending us sensitive information, please ensure that you use devices running supported operating systems that are regularly patched, and incorporate some form of malware protection. Only connect your devices to networks that you trust.
Where we have given you (or where you have chosen) a password which enables you to access certain parts our website, you are responsible for keeping the password confidential. You agree not to share that password with anyone else.
The personal information collected from you may be transferred to, and stored at, a destination outside the European Economic Area ("EEA"). It may also be processed by individuals operating outside the EEA who work for us or working on our behalf. This includes staff engaged in, among other things, the processing of your payment details and the provision of support services.
By submitting your personal data, you agree to this transfer, storing and processing at a location outside the European Economic Area. Where data is transferred outside the EEA, we have gone through a full due diligence process to help ensure the data is afforded the same levels of security.
Unfortunately, the transmission of information via the Internet is never 100% secure and we cannot guarantee the security of your data transmitted to our website. This means any such transmission is at your own risk.
To make sure we always have the most up-to-date information about how to contact you, we may also, from time to time, update your records to reflect any changes to your personal information.
This information may come directly from you, or it may come from a third party that we consider is legitimate and trustworthy and in circumstances where it is appropriate and where you will have had a clear expectation that your details would be passed on for this purpose.
We may also combine the information you provide us with information we collect from trusted third parties and partners such as business partners, sub-contractors, advertising networks, analytics providers, search information providers, credit reference agencies as well as publicly available sources. These third parties include, UKChanges, Post Office Address File and Experian Quick Address.
We use your cookies to give you a more personalised experience online. It helps us create a more effective website that reflects your needs. We may also collect and record information about how you use our site by collecting your IP address (in simple terms that just means a number that identifies a specific computer or other internet device).
If you'd like to access any of your rights, please contact us using the information below.
a. Right to access your personal information
You have the right to access the personal information that we hold about you in many circumstances, by making a request. This is sometimes termed ‘Subject Access Request’. If we agree that we are obliged to provide personal information to you (or someone else on your behalf), we will provide it to you or them and aim to do so within 30 days from when your identity has been confirmed. No administration fee will be charged for considering and/or complying with such a request unless the request is deemed to be excessive in nature.
We would ask for proof of identity and sufficient information about your interactions with us that we can locate your personal information.
b. Right to correct your personal data
If any of the personal information we hold about you is inaccurate or out of date, you may ask us to correct it.
c. Right to stop or limit our processing of your personal data
You have the right to object to us processing your personal information if we are not entitled to use it any more, to have your information deleted if we are keeping it too long or have its processing restricted in certain circumstances.
If you're concerned about the way your personal data is handled, please contact the Data Protection team at email@example.com.
You can also contact us via post:
Data Protection Offficer,
42 Curtain Road
The Information Commissioner's Office (ICO) regulates data protection and privacy matters in the UK. They make a lot of information accessible to consumers on their website and they ensure that the registered details of all data controllers such as ourselves are available publicly. You can access them here: https://ico.org.uk/for-the-public.
You also have the right to contact the Information Commissioner’s Office on 0303 123 1113, via their website www.ico.org.uk or via post:
Information Commissioner’s Office