Coram Group Privacy Notice

PROTECTING YOUR PRIVACY

Contents

  1.  Introduction
  2.  What is the Coram group?
  3.  Why do we use your personal data?
  4.  Explaining the legal bases we rely on
  5.  What sort of personal data do we collect?
  6.  How and when do we collect your personal data?
  7.  Profiling: making our communications relevant to you
  8.  Direct marketing
  9.  How we protect your personal data
  10.  How long will we keep your personal data?
  11.  Who do we share your personal data with?
  12.  Where your personal data may be processed
  13.  What are your rights over your personal data?
  14.  Contacting the Regulator
  15.  Any questions?

1. Introduction

We want everyone who supports us, or who comes to us for support, to feel confident and comfortable with how any personal information you share with us will be used and looked after. This Privacy Policy explains the types of personal data we may collect about you when you interact with us, as well as how we’ll store and handle that data, and keep it safe.

We know that there’s a lot of information here, but we want you to be fully informed about your rights, and how the Coram group uses your data. If you would like more detail about how a specific project or service uses your data you can view their individual privacy policy on their website.

We hope the following sections will answer any questions you have but if not, please do get in touch with us.

It’s likely that we’ll need to change this Privacy Notice from time to time. We’ll notify you of any significant changes, but you’re welcome to come back and check it whenever you wish.

Back to top

2. What is the Coram Group?

The Coram group of charities – which we’ll refer to as ‘Coram’ in this document – is made up of a number of related charities and wholly-owned trading subsidiaries, all committed to improving the lives of the UK’s most vulnerable children and young people:

Coram’s registered address is Coram Campus, 41 Brunswick Square, London, WC1N 1AZ.

This privacy notice applies to all of the above entities. For simplicity throughout this notice, ‘we’, ‘us’ and ‘our’ means the Coram group of charities and its brands.

We are a ‘data controller’ for the purposes of the EU General Data Protection Regulation 2016/679 (‘Data Protection Law’). This means that we are responsible for, and control the processing of, your personal information.

Back to top

3. Why do we use your personal data?

We collect and use personal data for a number of purposes:

  • To process your donations or other payments, to claim Gift Aid on your donations and verify any financial transactions. 
  • To provide the services or goods that you have requested or that we feel may be of interest to you.
  • To update you with important administrative messages about your donation, an event, or services or goods you have requested.
  • To comply with the Charities (Protection and Social Investment) Act 2016 and follow the recommendations of the official regulator of charities, the Charities Commission, which require us to identify and verify the identity of supporters who make major gifts so we can assess any risks associated with accepting their donations.
  • To keep a record of your relationship with us.

If you do not provide this information, we will not be able to process your donation, sign you up for a particular event, or provide goods and services you have requested.

We may also use your personal information to:

  • Contact you about our work and how you can support Coram (see section 8 on ‘Direct Marketing’ below for further information).
  • To invite you to participate in surveys or research.
  • To respond to your queries and complaints.
  • To protect our service users, visitors, staff, premises and assets from crime, we operate CCTV systems outside our buildings which record images for security.

For further information about why we use your personal data, please refer the privacy notice specific to the service you are using. 

Back to top

4. Explaining the legal bases we rely on

The law on data protection sets out a number of different reasons for which an organisation may collect and process your personal data, including:

Consent

In specific situations we can collect and process your data with your consent.

For example, when you tick a box to receive email newsletters from us.

When collecting your personal data, we’ll always make clear to you which data is necessary in connection with a particular service.

Contractual obligations

In certain circumstances, we need your personal data to comply with our contractual obligations.

For example, if you have placed an order on our website, we’ll collect your address details to deliver your purchase.

Legal compliance

If the law requires us to, we may need to collect and process your data.

For example, in order to claim gift aid on a donation, HMRC requires us to retain your gift aid declaration which includes personal details such as your name, home address, and UK tax-payer status.

Legitimate interest

In specific situations, we require your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our charity and which does not materially impact your rights, freedom or interests.

For example, to send you relevant, personalised communications by post in relation to updates, campaigns, services and products.

Vital interests

In limited cases we may need to use your data to protect your vital interests, or those of another person.

For example, we may share personal information with agencies, including local authority services and the police, where it is necessary to safeguard the welfare of a child or adult at risk. Any such decisions will adhere to the Government’s advice: Information Sharing: Advice for practitioners providing safeguarding services to children, young people, parents and carers (2015).

Back to top

5. What sort of personal data do we collect?

Personal data is any information that can be used to identify you, either by itself or in conjunction with other information that we hold, or may potentially have access to.

We only collect personal data relevant to the type of transactions you have with Coram. So for example, if you donate money, request services or products, become involved in one of our campaigns, register for our training or an event, sign up to any of Coram’s activities or online content (such as newsletters), or contact us by telephone, email, social media, post or text message, we may collect and process the personal information that you’ve provided.

This personal information may include:

  • Personal details (name, date of birth).
  • Contact details (email, address, telephone etc.)
  • Financial details to process your donations or other payments. Learn more in our Financial Data Privacy Notice (opens in a separate window). 
  • UK tax payer information (for Gift Aid)
  • Details of your interests and preferences (such as campaigns, the ways you support us, or areas of interest).
  • Details of your interactions with us.
  • Details of your visits to our websites, and which website you came from to ours.
  • Information gathered by the use of cookies in your web browser. Learn more in Coram's Cookie Policy here (link opens in separate window).
  • Your image may be recorded on CCTV when you visit one of our offices.

When collecting your personal data we’ll always make clear to you which data is necessary in connection to a particular service and why we need it.

A special note about the Sensitive Personal Information we hold

Data Protection Law recognises that some categories of personal information are more sensitive. Sensitive Personal Information can include information about a person’s health, race, ethnic origin, political opinions, sex life, sexual orientation or religious beliefs.

If you contact us through our helplines (such as Always Heard or our Child Law Advice Service), in person, or in other more general communications with us such as social media, our website, or emails, you may choose to provide details of a sensitive nature.

We will only use this information:

  • For the purposes of dealing with your enquiry, training our staff, and quality monitoring or evaluating the services we provide.
  • We will not pass on your details to anyone else without your express permission except in exceptional circumstances. Examples of this might include anyone reporting serious self-harm or posing a threat to others, or children contacting us and sharing serious issues such as physical abuse or exploitation.

Back to top

6. How and when do we collect your personal data?

We collect information from you in the following ways:

When you interact with us directly

This could be:

  • When you make a donation to us.
  • When you access any of our services. These are governed by their own privacy notices, for more information see individual service websites. 
  • When you ask a member of our staff to email you information about a service or product.
  • When you register with us for training or an event, for example, one of our Adoption Activity Days.
  • When you contact one of our helplines, such as Always Heard or our Child Law Advice Service.
  • When you contact us by any means with queries, complaints etc. 
  • When you book any kind of appointment with us.
  • When you purchase something from our website or in person. For more information, see our Financial Data Privacy Notice (opens in a separate window). 
  • When you fill out any forms. For example, if an accident happens on our premises, a member of Coram staff may collect your personal information as part of the investigation.
  • When you choose to respond to one of our surveys.
  • When you apply for a job with us. For more information, see our Recruitment Privacy Notice (opens in a separate window).
  • When you apply for a volunteering opportunity with us.
  • Employee data is governed by a separate privacy notice.

When you interact with us through partners

This could be when you are referred to one of our services by another organisation such as your school or local authority.

When you interact with us through third parties

For example, if you provide a donation through a third party such as Just Giving or one of the other third parties that we work with and provide your consent for your personal information to be shared with us.

When you visit our website

We gather general information which might include which pages you visit most often and which services, events or information is of most interest to you. We may also track which pages you visit when you click on links in emails from us. We also use “cookies” to help our site run effectively. For more information, please see the ‘Cookie Policy’ for this website (opens in new window). Please be aware that each of our websites may use different cookies so be sure to read the cookie policy for the website you are on.

We use this information to personalise the way our websites are presented when you visit, to make improvements, and to ensure we provide the best service and experience for you. Whenever possible we use anonymous information which does not identify individual visitors to our website.

When you access Coram’s social media

We might also obtain your personal data through your use of social media such as Facebook, WhatsApp, Twitter, LinkedIn or YouTube, depending on your settings or the privacy notices of these social media and messaging services. To change your settings on these services, please refer to their individual privacy notices, which will tell you how to do this (all links open in a new window; please note we can’t be responsible for the content of external websites):

When you visit our offices

Our premises usually operate CCTV systems for the security of both visitors and staff. These systems may record your image during your visit. You will be notified of the presence of CCTV cameras by clear signs which will also provide you with a number to call if you have any queries.

From other information that is available to the public

In order to tailor our communications with you to your background and interests we may collect information about you from publicly available sources or through third party subscription services or service providers (we have provided further details about these below – see ‘Profiling: Making our communications relevant to you’).

7. Profiling: making our communications relevant to you

We are grateful for every single penny we receive from our supporters – every penny that goes towards improving the lives of vulnerable children and young people for the better. But we want to ensure that what we ask of our supporters is fair, reasonable, and relevant to them. For this reason we sometimes do something called 'profiling'. It's a standard practice across the charity sector, and simply means we look at your personal information – your background – and consider what's appropriate to ask of you or send to you.

We do this manually, by looking at information that you've given us, or information that's publicly available – for example on social media and other public sources. It means we can tailor communications so that they are relevant (perhaps in relation to one of our services in your area), timely, and respectful – only asking for donations that are within a supporter's means, or appropriate for those who may be able/willing to give more than they already do.

It also enables us to identify those who are in the fortunate position of being able to help us fund entire projects or services, and whether they would like to meet with us to develop a more personal relationship and/or discuss future opportunities to support our work in helping children.

In turn, this approach means that we can raise funds sooner, and more cost-effectively – something we know to be of great importance to our supporters.

If you would rather your personal information is not used for the purposes of profiling, please email us at dataprotection@coram.org.uk with the subject line 'Please stop analysis of my data' or by contacting us at Data Protection, Coram, 41 Brunswick Square, London, WC1N 1AX.

Back to top

8. Direct marketing

We will only contact you about our work and how you can support Coram by phone, email or text message, if you have agreed for us to contact you in this manner.

However, if you have provided us with your postal address we may send you information about our work and how you can support Coram by mail unless you have told us that you would prefer not to hear from us in that way.

There are several ways you can stop direct marketing communications from us:

  • Click the ‘unsubscribe’ link in any email communication that we send you. We will then stop any further emails from that particular service.
  • Reply 'STOP' to any text message that we send you.
  • If you have an account, log in and visit the ‘my account’ area to change your preferences.
  • Email us at supportercare@coram.org.uk or write to us at Supporter Care, Coram Campus, 41 Brunswick Square, London, WC1N 1AX.

Back to top

9. How we protect your personal data

We know how much data security matters to you, and with this in mind, we treat your data with the utmost care. Coram employs appropriate administrative, technical, organisational, and physical security measures to protect your information and data against accidental or unlawful destruction, loss, or alteration, and against unauthorised disclosure and access.

We use standard industry practices to protect user information, including firewalls, SSL encryption, and system redundancies. Our staff and volunteers all receive mandatory data protection and information security training and we have a set of detailed data protection procedures that personnel are required to follow when handling personal data.

Unfortunately, no data transmission or storage can be guaranteed to be 100% secure. While we strive to protect your personal information, we cannot guarantee security of the information you transmit to us via email or through our websites.

Where we use external companies to collect or process personal data on our behalf we do comprehensive checks before we work with them, and put a contract in place that sets out our expectations and requirements, especially regarding how they manage the personal data they process on our behalf. We have a robust partner monitoring framework to ensure these contractual obligations are met.

Back to top

10. How long will we keep your personal data?

Whenever we collect or process your personal data, we’ll only keep it for as long as is necessary for the purpose for which it was collected. This will be based on either a legal requirement (where a law says we have to keep information for a specific period of time) or accepted business practice.

At the end of that retention period, your data will either be deleted completely or anonymised, for example by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning.

Some examples of personal data retention periods:

Donations subject to Gift Aid
We will keep a record of your Gift Aid donation for seven years to comply with HMRC rules.

Marketing opt-out
If you request that we stop sending you marketing materials we will keep a record of your contact details and the minimum appropriate information to enable us to comply with your request not to be contacted by us. 

Back to top

11. Who do we share your personal data with?

The personal information we collect about you will mainly be used by our staff (and volunteers) at Coram so that we can support you.

We will never sell or share your personal information with organisations so that they can contact you for any marketing activities. Nor do we sell any information about your web browsing activity.

We may, however, share your personal data with trusted third parties who work with us or on our behalf to deliver our services.

Here’s the policy we apply to those organisations to keep your data safe and protect your privacy:

  • We provide only the information they need to perform their specific services.
  • They may only use your data for the exact purposes we specify in our contract with them.
  • We work closely with them to ensure that your privacy is respected and protected at all times.
  • They are required to comply with all relevant Data Protection Laws.
  • If we stop using their services, any of your data held by them will either be deleted or rendered anonymous.

Examples of the kind of third parties we work with are:

  • IT companies who support our websites and other business systems.
  • Direct marketing companies who help us manage our electronic communications with you.
  • Partners who help us process donations and claim Gift Aid.

Sharing your data with third parties for their own purposes:

We will only do this in very specific circumstances, for example:

  • With your consent, given at the time you supply your personal data, we may pass that data to a third party for their direct marketing purposes.
  • For fraud management, we may share information about fraudulent or potentially fraudulent activity in our premises or systems. This may include sharing data about individuals with law enforcement bodies.
  • We may also be required to disclose your personal data to the police or other enforcement, regulatory or Government body, upon a valid request to do so. These requests are assessed on a case-by-case basis and take the privacy of our supporters, service users and staff into consideration.
  • We may, from time to time, expand, reduce or sell the Coram Group and this may involve the transfer of divisions or the whole business to new owners. If this happens, your personal data will, where relevant, be transferred to the new owner or controlling party, under the terms of this Privacy Notice.

For further information please contact our Managing Director for Compliance.

Back to top

12. Where your personal data may be processed

Sometimes we will need to share your personal data with third parties outside the European Economic Area (EEA), such as the USA.

Protecting your data outside the EEA

The EEA includes all EU Member countries as well as Iceland, Liechtenstein and Norway. We may transfer personal data that we collect from you to third-party data processors in countries that are outside the EEA.

For example, this might be required in order to process your payment details or provide support services.

If we do this, we have procedures in place to ensure your data receives the same protection as if it were being processed inside the EEA. For example, our contracts with third parties stipulate the standards they must follow at all times. If you wish for more information about these contracts please contact our Managing Director for Compliance.

Any transfer of your personal data will follow applicable laws and we will treat the information under the guiding principles of this Privacy Notice. 

Back to top

13. What are your rights over your personal data?

We want to ensure you remain in control of your personal data. Part of this is making sure you understand your legal rights.

You have the right to:

  • Ask us what information we hold about you – and be given that information (usually free of charge).
  • Ask us to correct, change or update any information we hold about you.
  • Withdraw your consent for us to use your information.
  • Ask us to delete your information entirely. For example, when you withdraw consent, or object to us processing your data and we have no legitimate overriding interest, or once the purpose for which we hold the data has come to an end.
  • Object to your data being processed by us (for legitimate interests) for reasons connected to your individual situation. We must do so unless we believe we have a legitimate overriding reason to continue processing your personal data.
  • Make a complaint or ask any other question in relation to your information.
  • Ask us to stop using your personal data for direct marketing (either through specific channels, or all channels). We must always comply with your request.
  • Review by a Coram staff member of any decision made based solely on automatic processing of your data (i.e. where no human has yet reviewed the outcome and criteria for the decision).

To exercise any of your rights, or ask us any questions about our data protection practices, please either speak to your Coram contact (if you have one) or email dataprotection@coram.org.uk.

You can also write to us at:
Managing Director of Compliance
Coram Campus
41 Brunswick Square
London
WC1N 1AX

If we choose not to action your request we will explain to you the reasons for our refusal.

Checking your identity

To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this Privacy Notice. If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to act. 

Back to top

14. Contacting the Regulator

If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.

You can contact them by calling 0303 123 1113 (local rate) or 01625 545745 (national rate)

Or go online to www.ico.org.uk/concerns (opens in a new window; please note we can't be responsible for the content of external websites)

Or write to them at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Back to top

15. Any questions?

We hope this Privacy Notice has been helpful in setting out the way we handle your personal data and your rights to control it.

If you have any questions that haven’t been covered, please contact our Managing Director for Compliance who will be pleased to help you:

  • Email us at dataprotection@coram.org.uk
  • Or write to us at Managing Director of Compliance, Coram Campus, 41 Brunswick Square, London, WC1N 1AZ.

This notice was last updated on 22 May 2018

Back to top of page