This policy was updated in December 2021.
Hello, we are the National Society for the Prevention of Cruelty to Children, though you may know us as the NSPCC. We are the leading children's charity fighting to end child abuse in the UK, Channel Islands and Isle of Man. We help children who have been abused to rebuild their lives, protect those at risk, and find ways to prevent abuse from happening.
Safety is at the heart of everything we do. Our mission is to keep children safe across the UK – it’s what drives all our work. At the NSPCC we’re committed to protecting your privacy and any of your personal data that we have.
The NSPCC is registered under the Data Protection Act 2018 under number Z6593104 and for the purposes of this policy is the Data Controller. Our registered charity numbers are 216401 in England and Wales, SC037717 in Scotland and 384 in Jersey. The NSPCC Trading Company Ltd. (registered Company in England & Wales no. 890446) is a wholly-owned subsidiary of ours which trades on our behalf. We have appointed a DPO at DPO Centre Limited, 50 Liverpool St, London EC2M 7PY.
Below we have answered some questions to explain how we protect your personal data.
Personal data is any information that can be used to identify you or another person. For example, if you donate money, use our services or visit our offices, we will collect and process the personal data that you’ve provided.
We may collect the following personal data:
- Basic personal details (your name, email address, postal address, telephone or mobile number and date of birth);
- Financial details (bank account number, UK taxpayer information for gift aid);
- Credit or debit card information;
- IP address;
- Photos, videos or audio recordings used as part of our work with you;
- CCTV which is in use at various NSPCC premises.
We may also collect, store and use the following 'special categories' of sensitive personal data which need more protection, called a 'condition of processing'. We won’t use any of this information without a justified reason:
- Information about your race or ethnicity;
- Philosophical or religious beliefs;
- Sexual orientation;
- Political opinions;
- Trade Union membership;
- Information about your health;
- Information about criminal convictions.
We also collect browsing data when you visit our websites, which may identify your device or web browser. This could be location data, how you found us and the pages you looked at on our website. We use this to provide you with the information that is most relevant to you.
This data is collected by cookies, which are small files stored on your computers’ or mobile devices’ web browser. These cookies are used to keep you logged in as you move around a site, provide content, and check website performance. This helps us make the website better for you and for others.
There are many ways that we may use your personal data. Here is how we use your personal data for our main activities:
To provide you with information, services or products you’ve requested, or which may interest you. When you open or click on a link in an email from the NSPCC we will receive information about that action. This helps us understand if our campaigns are doing well, and makes sure that we only contact you in the ways you have agreed. Third parties may send you information on our behalf, but only if you have agreed. For more information, please see “Sharing your information with third parties” below.
To provide key services for safeguarding children. This could include the collection of ethnicity and health data. We use this to assess the needs of individuals so we work with the right agencies and our services reach the right people.
To enable us to support you in our work with you. Sometimes we use mobile phones, cameras or laptops for filming, voice recording or slideshows as part of our work with you. These are used to improve your relationships, help you understand our work better and help our workers learn how to support you better.
To improve our fundraising activities and the services we provide to children and families. This could be looking at demographics to help our campaign, marketing and service delivery plans. We do this to understand how useful our services are and ensure we spend our money in the best way. If you use an NSPCC service, we use your data as statistics for evaluation but this will not identify you as a person. To make sure we are delivering the best service, the information we have about you may be checked by other members of our organisation.
To check and improve the services offered on our websites. This means we can give you the best user experience, which may involve giving your information to third parties.
To allow you to take part in interactive features on our website, when you choose to do so. For example, we may help you auto-complete forms by inserting your contact details for you to edit.
To use your IP addresses to identify relevant information. This may include information such as your approximate location. It also helps us to know information like the number of visits to the website from different countries.
To make our marketing campaigns more relevant to potential donors and customers.
To record and respond to any compliments, comments or complaints from supporters or service users and to investigate and make necessary changes. All feedback helps us to learn and to improve what we do. For more information, please read our Compliments, Comments and Complaints policy.
To conduct prospect research. For more information, please see the Prospect research section below.
To promote our activities. Where you have agreed we may use photos of you, or testimonials, for marketing.
To match information collected from you through different ways or at different times. That could include information collected online and offline, and from other sources. This includes third parties and publicly available sources. This makes sure that the information we hold about you is up-to-date and accurate. These include third parties such as BT OSIS, Post Office Address File and Experian Quick Address.
To check your suitability for a role at the NSPCC as an employee or a volunteer. This may involve internal searches against our database as part of the application process.
To protect staff and visitors to NSPCC sites. To protect staff, visitors and to protect the organisation against theft, some sites have CCTV installed.
Some of these activities may also involve ‘automated decision-making’. This is where we can make decisions about you automatically without a person being involved, for example the NSPCC uses a chatbot which can direct you to further information automatically depending on the personal data you provide. However, you can object to the use of your information for profiling and automated decision-making. For information on how to do this, please see the section on ‘Your Rights’ below.
If you wish to change or update your consent for direct marketing you can contact our Supporter Care team. Please see 'Complaints' below.
Our researchers use personal data, including sensitive personal data, in their work. This might include looking at our services such as Speak Out Stay Safe or doing research to help us understand what parents of disabled children need to help keep their children safe from sexual abuse. Research means we can make sure our services, programmes and campaigns support children and families, and identify other areas for research, campaigns and programme development. We don't ask for consent to use your personal data for research but rely on legitimate interests as our lawful basis. For our research activities, we conduct a review to make sure that we consider your rights and freedoms.
We do prospect research to find people who may be interested in supporting the NSPCC with a large amount of money. This includes looking at information on current or past supporters, as well as sources in the public domain. We use a scoring system to work out how likely a person is to donate a large amount of money, and the level of support they could provide. This helps us prioritise our resources and tailor funding proposals.
We only use information from reliable sources in the public domain. We never use third parties to do research on our behalf. We do not ask for consent but rely on legitimate interest as our lawful basis. We will tell you if we do conduct research on you as soon as possible. You will be able to see the information we have collected and any score we have given to your record and ask for it to be deleted if you wish. If we can’t tell you within six months, we will delete this information from our records.
Data Protection law means we must have a reason or justification, also known as a ‘lawful basis’, to use any of your personal data:
This is where we've asked for your permission to use your personal data in a specific way, and you've agreed. For example, to send you marketing via email or SMS.
We may process your personal data as part of an agreement you have with us. For example, if you work for us or if you buy something from our online shop.
We may collect or share your personal data when we need to by law. For example, to fulfil a regulatory rule or for fraud detection by carrying out checks on our donors. This might be where we check that a donation has not come from an illegal source.
Where there's an immediate risk to your health we may use your personal data. For example if we're worried about your health or safety at one of our fundraising events.
Some activities are done in the public interest. For example, collecting personal data about safeguarding concerns raised through the NSPCC Helpline.
Our legitimate interest is engaging with the public to further our charitable aims. This means that it’s important for us to talk to members of the public so that we can promote our work and talk about our goals as a charity. We will only use your data in this way if we are sure it is ok to do so, and thought about the effect it would have on you. Some examples of things we do which use ‘legitimate interests’ as a reason are:
- Sending you direct marketing in the post;
- Doing research to understand our supporters and improve the services we offer to families;
- The use of CCTV in some NSPCC offices for monitoring and security reasons;
- Sharing personal data with some teams in the NSPCC so we can communicate with our supporters in the best way;
- Buying marketing lists to promote our professional services via email to people who work with children and young people;
- Handling any compliments or complaints in line with our policy.
We will not rent or sell your personal data to other organisations for use by them in any way, including for their own marketing.
If you decide to do any NSPCC Virtual Training this may be through an online platform such as Zoom. You will then be subject to Zoom’s own Privacy Notice which you will find at https://zoom.us/privacy.
We may share your personal data with third parties:
- If we're legally asked to;
- To protect the rights, property or safety of the NSPCC, our donors or others.
This includes sharing information with other organisations for fraud detection and protection, or with local authorities or social services who provide health, legal or social care or treatment. We may ask other organisations to look at how well our services work, which might mean sharing some of your information, such as dates of birth, ethnicity, religious beliefs. This is to make sure our services work for people from all different backgrounds. This information will not identify you.
Sometimes we cannot keep information confidential as we need to ensure all children, young people and vulnerable adults are safe. This means that if you tell us anything about yourself or another person being hurt or at risk of being hurt, we might need to tell someone who can help (such as a social worker, parent or teacher). Sometimes the court might order us to share information and you might ask us to share information on your behalf.
If your local authority or another agency, such as your school or the police, have asked us to work with you we will need to share relevant information about you with each other and let them know the outcome of our work. We will tell you who we are sharing your information with and why, unless we are concerned that you or another person are at risk of being hurt, or we do not think it is safe to do so. Sometimes we might want to tell your carer, social worker or someone else about how things are going while you are working with us, but will always check with you first, unless we think it is not safe to do so.
We may ask you to complete a checklist which we send to another organisation so they can provide a report to help us understand what will help you most. We will remove any information that could identify you first.
However, where you have agreed that we can contact you, we may pass on your data to external service providers to contact you on our behalf. For example, we may share your personal information with telemarketing companies such as DTV Optimise or Mango to do campaigns for us.
We may ask external service providers to do tracking and analysis for us as described in the cookies policy. For instance, we may pass on data such as IP addresses to our media agency OMD to check how well our campaigns are doing.
Where we use an external service provider to act on our behalf, we will share only the personal data necessary to deliver the service and will have a contract in place that requires them to meet NSPCC data protection and information security requirements.
Sharing with Joint Controllers:
The NSPCC uses the Facebook Pixel cookie on this website for remarketing, analysis and reporting of NSPCC advertising campaigns as described below in “Remarketing” and in the NSPCC’s Cookies Policy. Use of this tool means that information about pages you have visited on this website and your IP address will be shared with Facebook who will then serve you advertising on Facebook based on this information.
For the purpose of these “Joint Processing” activities we are required by Facebook Ireland to provide you with the following information:
Facebook Ireland is a Joint Controller of this Joint Processing. More information can be found in Facebook Ireland's Data Policy at https://www.facebook.com/about/privacy.
The NSPCC uses Facebook Products such as the Facebook Pixel, the Facebook ‘Like’ button and Facebook Challenge for our events. These tools help you interact with the NSPCC and also help us understand our supporters. When you interact with these tools your data is shared with Facebook as well as the NSPCC because we are ‘Joint Processors’. For more information on how Facebook handles your personal data when you use these tools please visit www.facebook.com/legal/terms/businesstools.
More information about how Facebook Ireland processes Personal Data, including the legal basis Facebook Ireland relies on and the ways you may exercise your rights as a data subject against Facebook Ireland, can be found in Facebook Ireland's Data Policy at https://www.facebook.com/about/privacy. This means that you can go to their website if, for example, you wanted to see any of your personal data which Facebook are holding.
In addition, please note that:
The NSPCC and Facebook Ireland have:
Entered into A Controller Addendum to determine their respective responsibilities for compliance with the obligations under the UK GDPR with regard to the Joint Processing of the use of Facebook Products and the personal information derived from them.
Agreed that the NSPCC are responsible for providing Data Subjects as a minimum with the information required under Article 13 of the UK GDPR and;
Agreed that Facebook Ireland is responsible for enabling your rights as a data subject under Articles 15-20 of the UK GDPR with regard to the Personal Data stored by Facebook Ireland after the Joint Processing.
This means that Facebook and the NSPCC have made an agreement together about their responsibilities for anyone who uses Facebook products. They have agreed that the NSPCC must tell people that their information will be shared with Facebook, and Facebook must make sure that people can use their legal rights when it comes to their personal data, for example if they want to access, or to change, any personal data that Facebook have. A full list of your rights is in the section called ‘Your Rights’ at the bottom of this page.
We always have your best interests at heart and your personal data will not be kept by the NSPCC for longer than needed.
We're legally required to keep some personal data to meet legal obligations. For example, to claim Gift Aid or for certain financial transactions. We may be asked to keep records for longer periods or be told that legally we must not delete some records.
If you've used any of our services supporting children and families, we will make notes of the work we do. We will keep these notes for 25 or 75 years depending on your circumstances and the kind of work we did with you. For more information, or to request a copy of our data retention policy, please contact our Data Protection team at firstname.lastname@example.org.
Please see the ‘Sharing your information with third parties, keeping your information safe’ section for further details on data processing of the Facebook Pixel.
We want to give you relevant information. To do this, we may need to look at the information we hold on you. This analysis includes modelling (e.g. how likely you are to respond to an invitation) and segmenting (looking at people who are similar to you).
This means we can spend our donations in the best way, to make the biggest impact for children. As our data is taken from different sources (e.g. a donation on our website or campaign data), for data quality purposes we will analyse your data to avoid having different versions of information on the same person on our database.
We sometimes use publicly available information or information taken from specialist companies. These include Directory of Social Change and UKChanges; companies that collect and analyse information from public registers to help us keep accurate, up to date information about our supporters. These companies may have got this information directly from you and in circumstances where you expect that they will pass on your information to other organisations.
We will only use data collected in this way for things which you have agreed to, or if not practical, where we think it’s necessary to use your personal data for that reason. We will always ensure that the privacy and security of your personal data is protected.
The NSPCC will ensure that when collecting information such as debit cards, credit cards or personal data that this is done securely. We and our partners use TLS (Transport Level Security) to encrypt data sent between the customer and us or our partners.
The NSPCC is PCI compliant and uses external Payment Card Industry (PCI) compliant providers to collect this data on our behalf. We do not store PCI data (for example credit card numbers) on our own systems.
When sending us sensitive information, it is safest to use a device with a supported (current) operating system, with regular security updates and virus protection. Only connect your devices to networks that you trust.
Where we have given you (or you have chosen) a password to access certain parts of our website, you are responsible for keeping the password confidential. You agree not to share that password with anyone else.
The personal data collected from you may, in very rare circumstances, be transferred to, and stored at, a destination outside the European Economic Area ("EEA"). It may also be processed by people outside the EEA who work for us or work on our behalf. This might be, for example, staff processing payment details.
By submitting your personal data, you agree to this transfer, storing and processing at a location outside the European Economic Area. Where data is transferred outside the EEA, we have gone through a full due diligence process (checks) to help ensure the data has the same levels of security. We will make sure the transfer of data outside the EEA is done in a way that follows the law and is consistent with and respects EU and UK laws on data protection. This means that even if your personal data is transferred outside the EEA we will still help ensure it is protected.
Unfortunately, sending information via the Internet is never 100% secure and we cannot guarantee the security of your data sent to our website. This means any such transmission is at your own risk.
To make sure we always have up-to-date information about how to contact you, we may also update your records to make changes to your personal data.
We may also link the information you provide us with information collected from trusted third parties and partners such as business partners, sub-contractors, advertising networks, analytics providers, search information providers, credit reference agencies as well as publicly available sources. These third parties include, UKChanges, Royal Mail Postcode Address File and Experian Quick Address. An example of would be if you accidentally entered your postcode incorrectly on our system, we would be able to change it to the correct postcode.
If you'd like to use any of your rights, please contact us using the information below.
a. Right to access your personal data
You have the right to see the personal data that we hold about you in many circumstances, by making a request. This is sometimes termed ‘Subject Access Request’. If we agree that we must provide personal data to you (or someone else on your behalf), we aim to do so within one month from when your identity has been checked. We will not charge a fee for considering and/or complying with the request unless it is considered to be excessive in nature.
We would ask for proof of identity and enough information about your interactions with us so that we can locate your personal data.
b. Right to correct your personal data
If any of the personal data we hold about you is inaccurate or out of date, you may ask us to correct it.
If you would like to exercise your right, please contact us as set out below.
c. Right to stop or limit our processing of your personal data
You have the right to object to us processing your personal data for particular reasons, to have your information deleted if we are keeping it too long or have its processing restricted in some circumstances.
If you would like to exercise this right, please contact us as set out below.
d. Right to stop or limit our processing of your personal data
You have the right to have personal data deleted. This is also known as the ‘right to be forgotten’. The right only applies in certain circumstances.
If you would like to exercise this right, please contact us as set out below.
e. Right to portability
The right to portability gives you the right to receive personal data you have provided to us in a structured, commonly used and machine-readable format.
If you would like to exercise this right, please contact us as set out below.
You can make any of the above requests by emailing email@example.com or by writing to:
Data Protection Officer
42 Curtain Rd
We want to make sure that your personal data is accurate and up to date. You may ask us to correct or remove information you think is inaccurate.
You can also find out more about what to expect if someone has made a report about you and how you can access your information on our report abuse page.
Read our guide to accessing your personal data (PDF, 303KB)
If you're concerned about the way your personal data is handled, please contact the Data Protection team at firstname.lastname@example.org.
If you would like to change the way we contact you please contact our Supporter Care team on 020 7825 2505 or emailing us at email@example.com.
The Information Commissioner's Office (ICO) regulates data protection and privacy matters in the UK. They make a lot of information accessible to consumers on their website and they ensure that the registered details of all data controllers such as ourselves are available publicly. You can access them here: https://ico.org.uk/for-the-public.
You also have the right to contact the Information Commissioner’s Office on 0303 123 1113, via their website www.ico.org.uk or via post:
Information Commissioner’s Office