This policy describes how and why the National Cancer Research Institute (NCRI) uses your personal information, how we protect your privacy when doing so, and your rights and choices regarding this information. We promise to respect any of your personal information which is under our control and to keep it safe. We aim to be clear when we collect your information about what we will do with it.
We have made improvements to this policy to make it more understandable to our users.
From May 2018, we have moved to be an ‘opt-in only’ communication policy. This means that we will only send marketing communications to those that have explicitly stated that they are happy for us to do so via their preferred channel(s)
Who we are
Where we collect information about you
We collect information in the following ways:
When you give it to us directly
You may give us your information in order to sign up for one of our events, sign-up to our mailing lists, or otherwise communicate with us.
In addition, in accordance with common website practice, we will receive information about the type of device you’re using to access our website or apps and the settings on that device may provide us with information about your device, including what type of device it is.
When you give it to us indirectly
Your information may be shared with us by third parties, for example:
- independent membership associations or data management companies
- if you are a researcher and your information is shared with us by the principal investigator or institution, for example when you are a co-author of an abstract that has been submitted to one of our events.
We also may receive data about you from subcontractors acting on our behalf who provide us with technical, payment or delivery services, and from business partners, advertising networks and search/analytics providers used on our website.
Information from other sources
We also use information from the following sources:
- Social Media
Depending on your settings or the privacy policies for social media and messaging services like Facebook, LinkedIn or Twitter, you might give us permission to access information from those services, for example when you publicly tag us in an event photo.
- Information available publicly
We might supplement information on you with information from publicly available sources such as charity websites and annual reviews, corporate websites, public social media accounts, the electoral register and Companies House in order to create a fuller understanding of someone’s interests in NCRI.
What personal data we collect
The type and quantity of information we collect and how we use it depends on why you are providing it. We may collect, store or use the following kinds of personal information:
- your name;
- your contact details (including postal address, telephone number, e-mail address and/or social media identity);
- your date of birth;
- your gender;
- information relating to any reasonable adjustment that may need to be made (for example dietary and access requirements);
- if you contribute to NCRI activities or apply for a job with us, information necessary for us to process these applications and assess your suitability (which may include things like employment status, previous experience depending on the context, as well as any unspent criminal convictions or pending court cases you may have);
- information about your activities on our website(s) and about the device you use to access these, for instance your IP address and geographical location;
- information relating to your health (for example if you are taking part in or attending an event for health and safety purposes, as well as where you share your experience of cancer with us);
- age, nationality and ethnicity information for monitoring purposes; and
- any other personal information you provide to us.
Certain types of personal information are in a special category under data protection laws, as they are considered to be more sensitive. Examples of this type of sensitive data would be information about health, race, religious beliefs, political views, trade union membership, sex life or sexuality or genetic/biometric information.
We only collect this type of information to the extent that there is a clear reason for us to do so, for example asking for your gender when taking part in a survey. We will also collect this type of information if you make it public or volunteer it to us – for instance if you tell us you have cancer when applying for a position with us. Wherever it is practical for us to do so, we will make why we are collecting this type of information clear and what it will be used for.
How we use your information
We may use your personal information to:
- provide you with the services, products or information you asked for;
- keep a record of your relationship with us;
- respond to or fulfil any requests, complaints or queries you make to us;
- understand how we can improve our services, products or information by conducting analysis and market research;
- facilitate our events;
- check for updated contact details against third party sources so that we can stay in touch if you move (see “Keeping your information up to date” below);
- further our charitable objectives;
- register, administer and personalise online accounts when you sign up to services we offer;
- send you correspondence and communicate with you;
- administer our websites and to troubleshoot, perform data analysis, research, generate statistics and surveys related to our technical systems;
- testing our technical systems to make sure they are working as expected;
- contact you if you enter your details onto one of our online forms, and you don’t ‘send’ or ‘submit’ the form, to see if we can help with any problems you may be experiencing with the form or our websites;
- display content to you in a way appropriate to the device you are using (for example if you are viewing content on a mobile device or a computer);
- generate reports on our work, services and events;
- safeguard you, our staff and others we work with;
- conduct due diligence and ethical screening;
- monitor website use to identify visitor location, guard against disruptive use, monitor website traffic and/or personalise information which is presented to you;
- process your application for a job or another position;
- conduct training and quality control;
- meet our legal obligations, for instance to perform contracts between you and us, or our obligations to regulators, government and/or law enforcement bodies;
- carry out fraud prevention and money laundering checks;
- undertake credit risk reduction activities; and/or
- establish, defend or enforce legal claims.
How we use your information to tell you about our work
Sending marketing communications
Our marketing communications include information about our events, latest activities and initiatives. Occasionally, we may include information from partner organisations, other third parties and/or organisations who support our work. We operate an ‘opt-in only’ communication policy. This means that, except as set out below, we will only send marketing communications to those that have explicitly stated that they are happy for us to do so.
We may use information you have given us directly, for example, the record of your relationship with us, your location and demographics, as well as the type of activity you have been involved with, to tailor our communications with you about future activities.
Managing your contact preferences
We make it easy for you to tell us how you want us to communicate, in a way that suits you. Our forms have clear marketing preference questions and we include information on how to opt-out when we send you marketing. If you don’t want to hear from us, that’s fine, and you can change your preferences at any time. Just let us know when you provide your data or contact us on 0203 469 8460 or firstname.lastname@example.org.
If you’ve decided you don’t want to be contacted for marketing purposes, we may still need to contact you for administrative purposes. This may include where you are involved in an event or keeping in touch with you about other activities you are involved in with us, for example when you sit on one of our committees.
Legal basis for processing
Data protection laws mean that each use we make of personal information must have a “legal basis”. The relevant legal bases are set out in the General Data Protection Regulation (EU Regulation 2016/679) and in current UK data protection legislation.
Consent is where we ask you if we can use your information in a certain way, and you agree to this (for example when we send you marketing material via post, phone, text or e-mail). Where we use your information for a purpose based on consent, you have the right to withdraw consent for any future use of your information for this purpose at any time.
We have a basis to use your personal information where we need to do so to comply with one of our legal or regulatory obligations. For example, in some cases, we may need to share your information with our various regulators such as the Charity Commission, Information Commissioner or to use the information we collect about you for due diligence or ethical screening purposes.
Performance of a contract / take steps at your request to prepare for entry into a contract
We have a basis to use your personal information where we are entering into a contract with you or performing our obligations under that contract. Examples of this would be if you are applying to work/volunteer with us.
We have a basis to use your personal information where it is necessary for us to protect life or health. For instance, if there were to be an emergency impacting individuals at one of our events, or a safeguarding issue which required us to contact people unexpectedly or share their information with emergency services.
We have a basis to use your personal information if it is reasonably necessary for us to do so and in our “legitimate interests” (provided that what the information is used for is fair and does not unduly impact your rights).
A non-exhaustive list of when we are relying on legitimate interests follows:
- analysis and profiling of our stakeholders using personal information we already hold;
- updating your address using third party sources if you have moved jobs (please see the “Keeping your information up to date” section below for more on this).
- use of personal information when we are monitoring the use of our website or apps for technical purposes;
- use of personal information to administer, review and keep an internal record of the people we work with, whether salaried or not.
- sharing of personal information between relevant teams and committees within NCRI;
- sharing personal information with third parties who help us deliver or administer an event.
When we use sensitive personal information (please see the “What personal information we collect” section above), we require an additional legal basis to do so under data protection laws, so we will either do so on the basis of your explicit consent or another route available to us by law (for example if you have made the information manifestly public, we need to process it for employment, social security or social protection law purposes, your vital interests, or, in some cases, if it is in the public interest for us to do so).
How we keep your information safe
We ensure that there are appropriate technical and organisational controls (including physical, electronic and managerial measures) in place to protect your personal details. For example, our online forms are always encrypted and our network is protected and routinely monitored.
How long we keep your information for
NCRI has specific criteria to determine how long we will retain your information for, which are determined by legal and operational considerations. For instance, we are required to keep some personal information for tax or health and safety purposes, as well as keep a record of your interactions with us.
Sharing your information with others
We do not sell or share personal details with third parties for the purposes of marketing. However, we may disclose your information to third parties in connection with the other purposes set out in this policy. These third parties may include:
- business partners, suppliers and sub-contractors who may process the information on our behalf;
- if you are a researcher, volunteer, advisory panel member, any joint funders of research, host institutions and external members of our committees;
- analytics and search engine providers;
- IT service providers.
Some of our suppliers run their operations outside the European Economic Area (EEA) – this may include a country which may not be subject to the same data protection laws as companies based in the UK. In these circumstances, we will take steps to make sure they provide an adequate level of protection in accordance with UK data protection law, and appropriate safeguards are in place.
Where we are under a legal or regulatory duty to do so, we may disclose your details to the police, regulatory bodies or legal advisors, and/or, where we consider this necessary, to protect the rights, property or safety of NCRI, its personnel, visitors, users or others.
We reserve the right to disclose your personal information to third parties:
- if we sell or buy any business or assets, in which case we may disclose your personal information to the prospective seller or buyer of such business or assets; and/or
- if substantially all of our assets are acquired by a third party, personal information held by us may be one of the transferred assets.
Keeping your information up to date
We may use information from external sources such as company house, for example, to identify when we think you have changed address so that we can update our records and stay in touch. We only use sources where we are confident that you’ve been informed of how your information may be shared and used.
We do this so we can continue to contact you where you have chosen to receive marketing messages from us and contact you if we need to make you aware of changes to our terms or assist you with problems with event registrations.
This activity also prevents us from having duplicate records and out of date preferences, so that we don’t contact you when you’ve asked us not to.
We’re committed to putting you in control of your data and you’re free at any time to opt-out from this activity. To find out more, please contact 0203 469 8460 or email@example.com.
We really appreciate it if you let us know if your contact details change.
Under UK data protection law, you have rights over the personal information that we hold about you. We’ve summarised these below:
Right to access your personal information
You have a right to request access to the personal data that we hold about you. You also have the right to request a copy of the information we hold about you, and we will provide you with this unless legal exceptions apply.
If you want to access your information, send a description of the information you want to see by post to NCRI Executive, 2 Redman Place London E20 1JQ or by email to firstname.lastname@example.org
Right to have your inaccurate personal information corrected
You have the right to have inaccurate or incomplete information we hold about you corrected. If you believe the information we hold about you is inaccurate or incomplete, please provide us with details and we will investigate and, where applicable, correct any inaccuracies.
Right to restrict the use of your personal information
You have a right to ask us to restrict the processing of some or all of your personal information in the following situations: if some information we hold on you isn’t right and you have told us to amend it; we’re not lawfully allowed to use it until it has been amended; you need us to retain your information in order for you to establish, exercise or defend a legal claim; or you believe your privacy rights outweigh our legitimate interests to use your information for a particular purpose and you have objected to us doing so.
Right to erasure of your personal information
You may ask us to delete some or all of your personal information and in certain cases, and subject to certain exceptions, you have the right for this to be done.
Right for your personal information to be portable
If we are processing your personal information (1) based on your consent, or in order to enter into or carry out a contract with you, and (2) the processing is being done by automated means, you may ask us to provide it to you or another service provider in a machine-readable format.
Right to object to the use of your personal information
If we are processing your personal information based on our legitimate interests or for scientific/historical research or statistics, you have a right to object to our use of your information.
If we are processing your personal information for direct marketing purposes, and you wish to object, we will stop processing your information for these purposes as soon as reasonably possible.
If you want to exercise any of the above rights, please contact us on NCRI Executive, 2 Redman Place London E20 1JQ or by email to email@example.com. We may be required to ask for further information and/or evidence of identity. We will endeavour to respond fully to all requests within one month of receipt of your request, however, if we are unable to do so we will contact you with reasons for the delay.
Please note that exceptions apply to a number of these rights, and not all rights will be applicable in all circumstances. For more details we recommend you consult the guidance published by the UK’s Information Commissioner’s Office.
If you are unhappy with any aspect of how we are using your personal information we’d like to hear about it. Please contact us on NCRI Executive, 2 Redman Place London E20 1JQ or by email to firstname.lastname@example.org. We appreciate the opportunity this feedback gives us to learn and improve.
You also have the right to lodge a complaint about any use of your information with the Information Commissioners Office, the UK data protection regulator.
Changes to this policy
If you have any questions, comments or suggestions, please let us know by contacting NCRI Executive, 2 Redman Place London E20 1JQ or by email to email@example.com or by phone on +44 (0)20 3469 8460.