We understand the value we all put on our personal data, which is why we’re careful to protect the information we hold and keep check to ensure we only hold the data we need.
What follows is an overview of how we look after your information and why. We’re also happy to answer specific questions you may have. Please email us via firstname.lastname@example.org.
This policy was last updated 11 May 2021 because we have started using Facebook Pixel and Hotjar.
This policy was previously updated 10 March 2021 because we started using Google Analytics/Advertising Cookies.
This policy was previously updated 19 February 2021 to more accurately detail the handling of personal data for people accessing our services and supporting our activity.
We will never sell or swap your data.
Only Become team members who need your information to do their job can access your information.
You can change your communication preferences or opt out altogether whenever you choose.
We’re especially sensitive when engaging vulnerable children and adults through our services, fundraising or policy, campaigns and communications activity.
We work hard to safeguard your information through security policies and protocols.
We recognise that data protection is an ongoing commitment, not a one-off policy.
When will we ask you for information?
We may collect personal information (e.g. your name, number or address) from you when you:
Enquire about or access our advice and support services
Engage in our policy, campaigns and communications activity (sometimes referred to as our ‘participation’ work in this statement)
Share your views with us through research or consultation work
Request care advice materials
Enquire about or book our training and/or consultancy services
Donate or commit to make a future donation
Enquire about or sign up to a fundraising event
Apply to volunteer or work with us
How do we collect information about you?
Almost all of the information we collect about you comes directly from you. This means that you are able to decide what data we hold and why from the very start. In the main, you’re most likely to have been in touch via our website or email first, but we also start the data collection process if we speak on the phone or even face to face.
If you donate to us it is likely that you will have noticed we use third-party companies, such as JustGiving, Virgin Money Giving and CAF Donate to collect and process personal data on our behalf. Third party companies only provide us with your data if you have given them permission to do so. Otherwise, your information is anonymised before it is passed to us.
What information we collect
We try to record what you’re interested in and what prompted you to get in touch. For example, if you got in touch to discuss our life coaching work, the services team will ask your permission to keep your information on record, so that they can keep you updated on the service.
We keep track of any correspondence and link it to future and past communication. We make note of what we’ve previously discussed with you (whether by phone, post or email) so that we can avoid sending you the same information by mistake. The more information we capture, the more we can tailor our conversations and communications based on what has been said before and the topics that interest you.
If you are in contact with our services or policy, campaigns and communications teams and you disclose particularly sensitive information, that information is further protected via our password-protected database.
We will take note of where you work if you tell us. The fundraising team are hoping to increase the number of corporate supporters of Become and know the most effective way to do so is by galvanising internal champions who are already committed to the cause.
As we use third party provider, CAF Donate, to process Credit Card and Direct Debit donations, the fundraising team do not keep a record of your financial information. If you opt to donate via Standing Order however, we do maintain a record of your bank account as payments are made direct. This, and all fundraising information, is held on a password protected database, with limited users and different user levels.
In cases where we may need to transfer or process your personal information outside the European Union we will comply fully with our legal obligation. This is the case with our supporter database and our email platform, both of which are hosted by companies with headquarters in the USA. Their service are regulated and in accordance with data protection legislation.
If you’re taking part in an event for us, we may ask for emergency contact details. We will never contact that individual for any other reason without their express permission and we will destroy that information once the event(s) is complete.
If the fundraising team understand that you could make a large donation, they may run a search on sites like Google, Companies House and LinkedIn for publicly available information to get a better view of your capacity to make a donation, your interest in supporting children in care, as well as your networks. The fundraising team also try to make sure that there isn’t anything they should be aware of that may harm the reputation of the charity by association. The resulting profile is stored on the fundraising database.
More generally, we look at information on our websites (www.becomecharity.org.uk and www.propel.org.uk), like what pages people visit the most or which link in an e-newsletter was the most popular. We use Google Analytics to help us better understand how our website is used and what. This means we can look at aggregate data to see any patterns or trends (like a more people accessing our Factsheets following an article in the paper) that can help us measure the success of an activity and better prepare for similar activities in the future. In the main, we use anonymised, aggregate data, but Google Analytics does provide access to IP addresses.
Cookies and analytics
Cookies are used on the Become and Propel websites to identify your computer to our server and help us to track how many visitors we get. We use this information to monitor traffic trends and plan development of our website.
We use Google Analytics and the Google Advertising/Analytics cookies to build a better picture of who uses our site. This means we can see more about the interests and key demographics (e.g. age or general location) of our web visitors.
Google Analytics is used to help us understand how people use our website, see how our visitors find us and identify ways to improve visitor experience. We do not sell this information to third parties.
To find out how to block or delete cookies, as well as more information on our cookie use, please read our Cookies Policy. You can also edit your information and turn off Ad personalisation here: https://adssettings.google.com/
We also gather information from social media companies including Facebook to tailor our social ads and boosted posts to you based on your interests and preferences. On Facebook we use the Facebook ads audience function (including custom audiences) and Pixel. This helps us prioritise our communication, focussing on the methods, channels and content by understanding what interests and engages people.
Hotjar is contractually forbidden to sell any of the data collected on our behalf. For further details, please see the ‘about Hotjar’ section of Hotjar’s support site."
Accessing our services and supporting our activity
The personal data we collect to provide our advice and support services and our participation work is saved in the same secure database. This helps us to deliver against our organisation-wide commitment to safe and trauma-informed practice with young people including those who have opted to engage with us in multiple ways and through multiple staff members.
Collecting and holding information is essential for us to provide you with the right support and advice. We also use service data for training, quality monitoring or evaluating the services we provide.
We analyse contacts across the charity – looking at whether individuals use more than one service and your journey within the organisation. This is particularly important for us to able to accurately monitor our impact (e.g. are we helping one person in four different ways or four different people), and for supporting individuals to engage with us in different ways (e.g. both accessing our advice and support services as well as joining in with our ‘participation’ activity).
We do not assume consent for participation or fundraising contact just because you have accessed our advice and support services.
Sharing your experiences
Case studies, quotes and stories can help increase understanding of life in and leaving care and how the care system works. Sharing personal experiences is a powerful communication tool but we respect your right to privacy and recognise the emotional impact which sharing personal experiences can have. We support young people who want to share their personal experiences with us and others, but never make this a condition of accessing our support.
Your image (photo/video) would only ever be used with your express consent for use in online and offline publications, including social media.
Case studies and quotes provided for policy and research activity are typically anonymised, with names and identifying information changed unless you have expressly consented for us to use your real name. We do not otherwise alter the facts of any story.
Case studies about fundraisers and donors are typically not anonymous so we seek express permission to use a supporter’s story before publishing.
Depending on your involvement, volunteers may be asked to undergo a DBS check. The DBS check process is set out by the Disclosure and Barring Service, a government body. This process includes specifying what proof of ID and address information is required. Once a DBS check has cleared received, we shred and/or delete any related personal information.
When applying for a volunteer role, we may ask for your CV and references. Both such documents, along with your volunteer application form are retained for at least the lifespan of your engagement within Become. Only team members within directly relevant service lines will have access to the otherwise restricted files.
Emergency contact information will be asked of you, should you be travelling as part of your volunteer work or should you be working alone, for example, if you are travelling to a school to give an awareness talk on the care system. Such contact information is stored for an agreed period and then destroyed. We do not add emergency contact information to our contact database without consent.
All service user data is held securely and can only be accessed by the projects and programmes team.
We store personal information on our fundraising database. The secure database is only accessible by the fundraising and communications team. At a base level, we aim to collect your name and address. This is because we cannot match past or future donations to the same person by name alone and because, should you complete a Gift Aid declaration, HMRC requires full name and address details for a claim to be valid.
We also ask for email addresses because it’s a cost-effective way for us to keep in touch. We try to complement postal communication with email communication, but only if you have told us you’re happy for us to email you.
If you make a donation by credit/debit card, whether over the phone or online, payment details are sent directly to CAF Donate, our card payment processing partner. Once card details are entered, we do not retain them on our systems.
It is important that donors let us know if you move house, even if you have opted out of receiving letters. This is because your Gift Aid declaration is only valid if matched against a current address and we do not currently pay for Royal Mail’s National Change of Address service.
Getting to know you
We know people support our work for a variety of reasons. It helps us in the fundraising team to understand what those reasons are, so we can communicate with you in an appropriate way. For example, if you support our work because you have direct experience of the care system, you probably won’t find much value in a letter explaining to you what it is – you already know.
But for us to communicate with you the right way, we do need to have an accurate picture of who you are. This means we may ask you to let us know what motivated you to donate, or how you feel about our work. The information you provide offers insight that we analyse to plan our activities and communications.
If someone has provided an address in writing we can’t decipher, we’ll use Royal Mail’s address finder service. When we’re sending planned appeals, we may use a screening company to check that no one on the list has recently passed away. The last thing we want to do is send an appeal bearing the name of a lost loved one only for their next of kin to receive it.
We also analyse email results, such as open rate and click-through. We don’t want to waste anyone’s time on emails that no one is reading, so it’s important to be able to see what messaging people are interested in.
We may also look at publicly held information through the Charity Commission, Companies’ House, media stories and Google, to better understand you and your philanthropic priorities so that we can be measured in who we approach for substantial support. Research of this kind is important because there is a risk to the charity if we unwittingly align ourselves with someone that would undermine the trust we have built with our service users or damage our reputation.
We also don’t wish to waste prospective donors’ time by making uninformed approaches. For instance, there is no point in us writing a letter to someone who has publicly declared that they are solely committed to supporting international development charities. But we can only know that by researching the person using publicly held information and storing it against their record so that we don’t have to repeat the research in the future.
What we do to protect your data
We ensure there are clear standard operating procedures in place for handling data. This includes limiting access to personal data to individuals who must log in with a unique username for access.
In the interest of security, we do not publicly declare our internal technical and operational measures for protecting your data. We will state however that we challenge and review our processes on a regular basis to keep step with changing technology and expectations.
We may need to disclose details if we are required to by authorities including the police, HMRC and regulatory bodies.
You can ask us to stop processing your personal data for fundraising and marketing and, if we don’t need your information to process a parallel request (e.g. registering for an event), we will stop.
You have a right of access to a copy of the information comprised of your personal data. Please make a request in writing to Data Protection, Become, 15-18 White Lion Street, London N1 9PG.
If you are aware of any inaccuracies with the data we hold (e.g. we’re addressing you by your maiden name), you can let us know and we will correct it and, if appropriate, delete the inaccurate data.
You can also ask us to remove any data we hold about you. We will delete your personal data unless there is a legal requirement to retain it (e.g. company law).
You can opt out of fundraising or marketing communications at any time. Please contact email@example.com or 020 7251 3117 to request that we update your preferences.
It’s important to note that we may still have to contact you for administrative purposes. For instance, if your Direct Debit is amended or cancelled at later date, we will write you a letter or email to confirm the action.
The legal bases that we rely on for processing your personal data are:
- You have provided your consent to us using your personal data for a specific purpose:
We will ask for your consent to use your personal data to send you marketing emails and SMS.
You always have the right to withdraw your consent at any time.
- It is necessary in connection with the performance of a contract with you:
Sometimes it is necessary to process your personal data so that we can provide contractual relationships with you. For example, if you volunteer or work for us.
- It is necessary for compliance with a legal obligation to which we are subject:
This would include where we must retain certain records, for example, to manage health and safety, for the detection and prevention of crime, safeguarding obligations, for maintaining suppression lists to ensure we comply with marketing laws, for tax reasons (such as those related to Gift Aid donations) and undertaking due diligence before accepting certain donations or entering certain relationships.
- It is within our legitimate interests.
Applicable law allows personal data to be collected and used if it is reasonably necessary for our legitimate interests or a third party’s legitimate interests (if the processing is fair, balanced and does not unduly impact individuals’ rights). We will rely on this ground to process your personal data when it is not practical or appropriate to ask for your consent, and where we are confident that this will not impact your rights. This may include where we undertake research on individuals including before we proactively contact them, as set out in sections ‘What Information we Collect’ and ‘Getting to Know You’.
Our legitimate interests include raising funds for a wide range of activities to support our charitable objectives. We also have a legitimate interest in publicity and income generation, campaigning and fundraising to support these objectives and undertaking due diligence to establish the provenance of donations that are made, or may be made, to us.
Where you have provided your details to us, we may contact you by post and phone for certain marketing and fundraising activities (but we will explain this to you at the point that we collect your details). You can opt out of this activity at any time by emailing us on firstname.lastname@example.org .
We will also rely on our legitimate interests for the proper administration of Become, and to manage our operations (for example, maintaining appropriate records and databases, for the detection and prevention of crime and safeguarding all those who access our premises and facilities).
When we process your personal data to achieve such legitimate interests, we consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws. We will not use your personal data for activities where our interests are overridden by the impact on you, for example where use would be excessively intrusive (unless, for instance, we are otherwise required or permitted to by law).
Please see section above for the limited legal basis for when we process sensitive personal data.
Changes to our Privacy Notice
We may update this notice from time to time, as regulation or our internal processes change.
We will note and date significant revisions at the start of this policy. If you wish to be contacted directly in the event of significant changes to the Privacy Notice, please send your contact details and request to email@example.com.
If you have any question, comment or suggestions about how we look after your personal data, please contact us by writing to firstname.lastname@example.org or Data Protection, Become, 15-18 White Lion Street, London N1 9PG.