1. Purpose of this policy
In particular, this Policy explains:
- the kinds of personal information we collect about you;
- the means by which we obtain your personal information;
- the ways in which we use your personal information;
- the basis on which we use your personal information;
- the length of time that we keep your personal information;
- who we share your personal information with;
- how we protect your personal information; and
- where and why we transfer your personal information outside of the EU.
We may collect your personal data in your capacity as: a member of our organisation, monthly supporter, donor, volunteer, employee, applicant for a job or training course, participant in our events or training sessions, subscriber to our mailing lists, business contact, or because you are a visitor to our website (nursesunited.org.uk) (the “Site”).
You provide your personal data to us on a voluntary basis. But without providing us with your personal data, you will be unable to (as appropriate) receive our regular update, campaign and events emails, join as a member or supporter, access our events, make a donation or apply for employment with us.
We may update this Policy from time to time without notice to you, so please check it regularly.
2. About us
NU is an unincorporated association. We are currently being incubated by the New Economy Organisers Network (NEON). Our principal activities include facilitating a network of Nurses and supporters of Nurses, to take action in campaigns to improve the lives of Nurses and defend the NHS.
NU is the data controller responsible for your personal information.
3. How we collect your personal information
We may collect your personal information in the following ways:
(1) When you give it to us DIRECTLY
You may give us your personal data in various ways, including when you apply to join our organisation as a member or supporter, opt-in to receive our update emails, when you participate in our events, when you apply for employment with us, when you apply to volunteer with us, when you share information about our work on Facebook, Twitter, Youtube and/or via email , when you contact us by phone, email or post, and/or when you donate money to us.
(2) When you give it to us INDIRECTLY
Your information may be shared with us by others including our strategic partners, organisation members, business contacts, sponsors and supporters of our organisation and services. Your information will also be provided to us when you follow us or otherwise interact with us on or via Twitter, when you subscribe to or interact with us on Youtube, when you like and/or join our page on Facebook or interact with us in other ways on or via Facebook.
(3) When you give permission to OTHER ORGANISATIONS to share it or it is AVAILABLE PUBLICLY
We may combine information you provide to us with information available from external publicly available sources. Depending on your privacy settings for social media services, we may also access information from those accounts or services. We use this information to gain a better understanding of our audience and to improve our communications, network facilitation, training and fundraising activities.
(4) When you visit our WEBSITE
4. What information do we collect?
We may collect, store and use the following kinds of personal data:
- your name and contact details, including physical address, telephone number and e-mail address, and social media identity
- financial information, such as payment-related information, including bank details or debit/credit card details
- the information you add when signing up to become a ‘member’ or ‘supporter’ including what role you hold within the nursing field, where you work and what union you are a member of.
- other personal information we receive in the course of providing services to you, including details of why you have decided to contact us/participate in one of our events, details of events you have attended and your contributions during event sessions, details of topics/areas of interest to you, responses to surveys you have completed, equal opportunities monitoring information and information about any health and disability-related requirements
- technical information, including information about your visits to and use of our Site and the device you used to access the Site, your IP address, geographical location, browser type, referral source, length of visit and number of page views
- marketing information, including information about the services you use, services and products of interest to you or any marketing and/or communication preferences you give; and/or any other information shared with us as per paragraph 1 above.
Do we process special categories of personal information?
Applicable law recognises certain categories of personal information as sensitive and therefore requiring more protection, including health information, ethnicity, trade union membership, religious beliefs, sexuality, and political opinions. We collect this type of data in the following circumstances:
- for our event attendees and organisation members and supporters, to monitor equal opportunities and the accessibility of our services;
- to ensure our provision is sensitive to health needs of participants;
- in the interests of positive action / anti-oppression, where we’re running opportunities e.g. events with limited places, if several candidates match our criteria equally, we may use this data to prioritise applications from members of underrepresented groups;
- where you voluntarily share information about your political views or your trade union membership as a NU member or supporter, which we use to understand your interests and ensure we are providing appropriate and relevant services.
In other limited cases, we may collect sensitive personal data about you. We only collect sensitive personal data if there is a clear reason for doing so; and only do so with your explicit consent.
5. How and why will we use your personal data?
We may use your personal information to:
- Manage and administer our relationship with you, including providing you with services (such as enabling participation in our organisation and programmes), products and information you have requested,
- Market our services, including sending you information about our programmes, events, campaigns, and any other information, products or services that we provide. We may do this by using marketing tools, such as Facebook marketing and by using personalisation to tailor and enhance your experience of our communications;
- Administer our Site, including monitoring its use;
- Administer payments;
- Administer participation in our events;
- Administer your employment and/or volunteering application;
- Carry out operational management of the organisation, including employee and volunteer recording and monitoring for safety, performance management or workforce planning purposes; provision and administration of staff pay and benefits; physical security, IT and network security; processing for historical, scientific or statistical purposes;
- Conduct research and data analysis into the impact of our work, including using analytics tools such as Google Analytics;
- Deal with enquiries and complaints made by or about you relating to the Site or us in general;
- Deliver or administer programmes, products, and information;
- To carry out financial management and controls, including processing financial transactions and maintain financial controls; prevent fraud, misuse of services and money laundering; enforce legal claims; and report criminal acts and comply with law enforcement agencies;
- Audit and/or administer our financial accounts and conduct other statutory reporting and regulatory compliance;
- Maintain a membership database and suppression lists;
- Conduct member and supporter research;
- Meet any other of our legal, regulatory and risk management obligations.
Using our services
If you apply to join our organisation or participate in one of our campaigns or events, then we will process your personal information in order to provide that service to you and to monitor the effectiveness and reach of our services as described above.
Supporter research We may use your personal information to undertake research to gather further information about you from publicly accessible sources (as per clause 1 above). This helps us to get a better understanding of your background, interests and preferences in order to improve our communications and/or interactions with you, to help ensure they are targeted to be relevant and appropriate, and to provide information (sometimes through third parties) about programmes and other aspects of our work which we consider may be of interest to you.
Where you have provided us with your physical address and appropriate consent, we may contact you by post. Where you have provided appropriate consent, we may also contact you by telephone, SMS and email, with targeted communications to let you know about our events and/or activities that we consider may be of particular interest, about the work of the company and to ask for donations or other support.
We may use some of your personal information to participate in Facebook’s Custom Audience and Lookalike Audience programs, which enable us to display adverts to both existing and prospective supporters when they visit Facebook. We may provide your email address to Facebook so they can determine whether you are a registered account holder with them. Our adverts may then appear when you access Facebook. Some of your data is sent in an encrypted format that is deleted by Facebook (a) if it does not match with a Facebook account or (b) after they confirm you are a registered account holder.
For more detailed information please see https://www.facebook.com/business/help/744354708981227 and Facebook’s data policy at https://en-gb.facebook.com/policy.php.
Using our Site
When you use our Site, you may be asked to provide us with personal information. When you provide us with personal information in this way, we only use it for the purposes stated to you at the time we collect that information.
Financial transactions carried out on our website are handled through Paypal. Direct Debits are processed through Stripe. These are third party payment providers. We recommend that you read Stripe’s privacy policies (available at https://stripe.com/gb/privacy) prior to effecting any transactions with us. We will provide your personal data to Stripe only to the extent necessary for the purposes of processing payments for transactions you enter into with us. We do not store your financial details.
6. Lawful processing
We are required to have one or more lawful grounds to process your personal information. We use your personal information on the following bases:
- Personal information is processed on the basis of a data subject’s consent
- Personal information is processed on the basis of a contractual relationship
- Personal information is processed on the basis of legal obligations
- Personal information is processed on the basis of legitimate interests
We will ask for your consent to use your information to send you postal or electronic communications such as newsletters and marketing and fundraising emails, for targeted advertising and profiling, to hold a profile of your information on our online member and supporter database and if you ever share sensitive personal information with us.
(2) Contractual relationships
Most of our interactions with members and website users are voluntary and not contractual. However, sometimes it will be necessary to process personal information so that we can enter contractual relationships with people. For example, if you apply for employment or to volunteer with us, or if you purchase something from us.
(3) Legal obligations
Sometimes we will be obliged to process your personal information due to legal obligations which are binding on us. We will only ever do so when strictly necessary.
(4) Legitimate interests
Applicable law allows personal information to be collected and used if it is reasonably necessary for our legitimate activities (as long as its use is fair, balanced and does not unduly impact individuals’ rights). We will rely on this ground to process your personal data when it is not practical or appropriate to ask for consent.
When we use your personal information, we will consider if it is fair and balanced to do so and if it is within your reasonable expectations. We will balance your rights and our legitimate interests to ensure that we use your personal information in ways that are not unduly intrusive or unfair in other ways.
7. Children’s data
Our services are not aimed at children and we require people to declare themselves to be 18 or over to become a member of our organisation or access our campaigns and events. Hence we do not knowingly process data of any person under the age of 18. If we come to discover or have reason to believe, that you are under 18 and we are holding your personal information, we will delete that information within a reasonable period and withhold our services accordingly.
8. Other disclosures
9. Security of and access to your personal data
We endeavour to ensure that there are appropriate and proportionate technical and organisational measures to prevent the loss, destruction, misuse, alteration, unauthorised disclosure or of access to your personal information.
Your information is only accessible by appropriately trained staff and contractors, apart from information you voluntarily share on our members’ platform.
We may also use agencies and/or suppliers to process data on our behalf. We may also merge or partner with other organisations and in so doing transfer and/or acquire personal data.
Please note that some countries outside of the EEA have a lower standard of protection for personal data, including lower security requirements and fewer rights for individuals. We may transfer and/or store personal data collected from you to and/or at a destination outside the European Economic Area (“EEA”). Such personal data may be processed by agencies and/or suppliers operating outside the EEA. If we transfer and/or store your personal data outside the EEA we will take reasonable steps to ensure that the recipient implements appropriate measures to protect your personal data.
10. Your rights
Where we rely on your consent to use your personal information, you have the right to withdraw that consent at any time. This includes the right to ask us to stop using your personal information for direct marketing purposes or to be unsubscribed from our email list at any time. You also have the following rights:
(1) Right to be informed – you have the right to be told how your personal information will be used. This Policy and other policies and statements used on our website and in our communications are intended to provide you with a clear and transparent description of how your personal information may be used.
(2) Right of access – you can write to us to ask for confirmation of what information we hold on you and to request a copy of that information. Provided we are satisfied that you are entitled to see the information requested and we have successfully confirmed your identity, we will have 30 days to comply.
(3) Right of erasure – you can ask us for your personal information to be deleted from our records. In many cases we would propose to suppress further communications with you, rather than delete it.
(4) Right of rectification – if you believe our records of your personal information are inaccurate, you have the right to ask for those records to be updated.
(5) Right to restrict processing – you have the right to ask for processing of your personal data to be restricted if there is disagreement about its accuracy or legitimate usage.
(6) Right to data portability – to the extent required by the General Data Protection Regulations (“GDPR”) where we are processing your personal information (i) under your consent, (ii) because such processing is necessary for the performance of a contract to which you are party or to take steps at your request prior to entering into a contact or (iii) by automated means, you may ask us to provide it to you – or another service provider – in a machine-readable format.
To exercise these rights, please send a description of the personal information in question using the contact details in section 14 below. To unsubscribe from our email lists or remove your data from our members’ platform please email email@example.com with your request.
Where we consider that the information with which you have provided us does not enable us to identify the personal information in question, we reserve the right to ask for (i) personal identification and/or (ii) further information.
Please note that some of these rights only apply in limited circumstances. For more information on your rights as a data subject, please consult guidance from the Information Commissioner’s Office (“ICO”). – https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/ – or please contact us using the details in section 14 below.
You are further entitled to make a complaint about us or the way we have processed your data to the ICO. For further information on how to exercise this right, please see the guidance at https://ico.org.uk/for-the-public/personal-information. The contact details of the ICO can be found here: https://ico.org.uk/global/contact-us/.
11. Data retention
In general, unless still required in connection with the purpose(s) for which it was collected and/or is processed, we remove your personal information from our records six years after the date it was collected. However, if before that date (i) your personal information is no longer required in connection with such purpose(s), (ii) we are no longer lawfully entitled to process it or (iii) you validly exercise your right of erasure, we will remove it from our records at the relevant time.
In the event that you ask us to stop sending you direct marketing/fundraising/member/other electronic communications, we will keep your name on our internal suppression list to ensure that you are not contacted again.
12. Policy amendments
13. Third-party websites
14. Updating information
You can check the personal data we hold about you, and ask us to update it where necessary, by emailing us at firstname.lastname@example.org
We are not required by law to have a “Data Protection Officer” – however compliance with data protection regulation is the responsibility of the Lead Organiser.
If you have any queries or concerns whatsoever about the way in which your data is being processed, or want to exercise your privacy rights, please contact us by:
- sending an email to email@example.com