Privacy
Privacy
Your Rights and Overarching Principles
Please be assured, we will not share or distribute your personal information to third parties unless we have your permission or are required to do so by law. This includes any contact details you have given us.
We are committed to ensuring that any information we hold about you is secure. We have in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect. If at any time there is a data security breach we will follow the procedures set out in these pages and record details of the incident and our actions on these pages.
You have the right to request:
- access to any information we hold about you
- that we amend or correct your information
- that we delete information we hold about you
- that we restrict who may see / use your information
- that you are given your information in a form that you can use
For more information about how to make these requests and how we will respond, please click here.
1. Controlling and Processing Data
Under the U.K. General Data Protection Regulations (U.K GDPR) 2021, organisations must identify who controls and who processes the data.
Our Data Controllers determine what data / information to collect and how to collect it. At SMA UK, these decisions are made on behalf of our trustees by the managers of the Support Services and Fundraising Teams.
Our Data Processors process the data on behalf of the controllers. At SMA UK, all staff process data / information that will enable them to carry out their duties. What they process will depend on their role. Other Data Processors are BlackBaud, Mail Chimp and Survey Monkey. Data is stored on a secure server run by BlackBaud who are an industry recognised IT support organisation. Blackbaud run the system and provide security and updates so that our database system works effectively. Mail Chimp and Survey Monkey are pieces of external software that holds email addresses and supports the processing of our electronic newsletter and surveys. All the email addresses held on the software are secure and only available to specified employees of SMA UK.
We hope this policy will help you understand more about how we comply with the GDPR:
2. Protecting Individual Privacy
We believe that respecting and protecting a person’s privacy is of the utmost importance. We apply the principles of the UK General Data Protection Regulations (U.K GDPR) that came into effect on 1st January 2021, the Data Protection Act 2018, the Freedom of Information Act 2000 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) across all our activities. For Data received from the E.U. before 1st January 2021 we also apply the E.U. General Data Protection Regulations (E.U. GDPR).
The principles of the above Acts and Regulations apply across all our activities. How we implement these principles varies depending on the activity e.g. the provision of an information and support service; a fundraising initiative; the recruitment and supervision of employees and volunteers; Trustee business. Team managers are responsible for their implementation and monitoring and report to the Board as required.
The GDPR principles and how we practise them follow:
2.1 Processed lawfully, fairly and transparently
We must have legitimate grounds for collecting and using personal data and be transparent about how the information will be used. People’s personal data must be handled only in ways they would reasonably expect us to use it. This includes giving individuals clear statements about how we use and protect their information. Individuals have a right to ask for a copy of the information we hold about them in our records.
2.2 Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
We must be clear why we are collecting personal data and what we intend to do with it. We must ensure that if we wish to use or disclose the personal data for any purpose which is different or additional to the original purpose, then the new use is agreed as fair by the owner of the information and / or a senior colleague.
2.3 Adequate, relevant and limited to what is necessary
Any personal data we hold about an individual must be sufficient for the purpose for which we hold it. We must not hold more information than we need.
2.4 Accurate and, where necessary, kept up to date
We must take reasonable steps to ensure that personal data obtained is correct and not misleading and consider whether or when it is necessary to update the information.
2.5 Retained for as long as necessary. Can be archived for statistical purposes but must protect the rights of the individual
We must keep under review the length of time we hold personal data. This may be for longer in some cases than others depending on the purpose for which the data was obtained. We must regularly review personal data and delete in a secure way information that is no longer needed.
Individuals may at any time request that their personal information is removed. Such requests should be responded to promptly. All database entries should be deleted in a secure manner and hard copy information should be shredded.
2.6 Processed in an appropriate manner to maintain security. Ensures against loss, damage or destruction
We must have appropriate security systems and practices that prevent personal data we hold being accidentally or deliberately compromised.
3. Data Protection by Design and Default and Risk Assessments of new projects
Article 25 of the GDPR outlines that all systems for data processing and storage are subject to assessment of Data Protection by Design and Default. You can read more about what this entails in appendix 10. The practical implementation of how we do this is described in this policy. Additionally, all new projects are risk assessed following the risk assessment process outlined appendix 11.
4. Protecting the interests of SMA UK
Employees and trustees must not disclose to any un-authorised person any confidential information about the interests or business of the charity, its staff, trustees, beneficiaries, funders or other partners.
A non-exhaustive list of the information which SMA UK considers confidential, unless such information is already legitimately in the public domain, includes information held in relation to:
- Funding applications, grant applications, joint ventures, project initiatives, strategic plans etc.
- Finances
- Security arrangements
- Individual salaries or other confidential information relating to contracts of employment.
When employees or trustees leave SMA UK, they must immediately return any files, documents reference books and other papers relating directly or indirectly to the charity or its staff, beneficiaries, funders or other partners. Any emails and electronic documents relating to the organisation should be deleted from personal computers.
Employees and trustees must be particularly alert to requests from the press or other media and should refer such requests to the Support Services and Fundraising Managers before disclosing any information in response to such enquiries.
Confidential and sensitive information is restricted to those who need the information in the course of their work for the organisation. Any restricted information must not be disclosed to anyone else, whether inside or outside the charity. Restricted information, whether communicated orally, electronically or in writing should always be identified as ‘Confidential’ and where appropriate ‘for (recipient’s) eyes only’. Such information might include:
- Proposals or plans for the future
- Special forthcoming events or projects before they have been announced
- Financial and statistical information
- Sensitive business information
- Sensitive personal information
- Information relating to employees, volunteers and staff including applicants for positions, leavers or joiners prior to any public announcement.
5. Summary of General Rules – Staff, Trustees and Volunteers
All employees, trustees and any volunteers are required NOT to:
- Leave confidential information (in paper or electronic form) where it is easily visible in the office or elsewhere. THINK PRIVACY!
- Use computer software or programmes or any electronic equipment unless they are authorised by SMA UK
- Give any press interviews or statements on or off the record without first discussing this with the SMA UK’s managers
- Write personal letters on SMA UK’s headed paper or under SMA UK’s banner
- Discuss with others the business of other service users, volunteers, staff, trustees or funders except as strictly required by their job.
- Conduct confidential conversations (including over the phone) where they may be overheard
Employees and trustees, whether paid or unpaid, who leave the charity will continue to be bound by their obligations of confidentiality even after the termination of their SMA UK post, whatever the reason.
Nothing in this policy will prevent an individual from making a ‘protected disclosure’ within the meaning of the Public Interest Disclosure Act 1998 (i.e. a legitimate, good faith ‘whistleblowing’ disclosure)
Breaches of this policy by employees will be dealt with through the SMA UK’s disciplinary procedures. Breaches by trustees will be dealt with under the process laid down in the trustee code of conduct.
Very occasionally we may introduce a volunteer who has been carefully recruited and received training from our Shared Experiences Coordinator directly to support another member of the SMA community. Training includes the topics of confidentiality and boundaries. They know not to share the personal details of the person / family they are supporting, nor the contents of any conversations and Emails, nor to leave any confidential information (in paper or electronic form) where it is easily visible. They know that this applies during their time as a volunteer supporter and thereafter as well. They know to always check that they have the person’s specific permission before they discuss or do anything on their behalf. If they have any doubts, they know to ask the Shared Experiences Coordinator, who is there in an ongoing support role, or any member of the Support Services team for guidance.
Volunteers also know that safeguarding of children and adults at risk takes priority over confidentiality.
6. Data Breaches
If a Data Breach Occurs a risk assessment is made immediately, recorded and addressed using our Security Concern or Data Breech Notification Form Appendix 12 using the guidelines laid out in Appendix 12a or 12 b
7. Making our confidentiality and data protection policy known
All staff and trustees are given a copy of this policy and, where appropriate, any relevant implementation guidelines, when they join the Trust. They have an opportunity for discussion with their manager or mentor.
Anyone visiting our website can read a short summary of how this policy impacts on them when they read our Privacy Notices.
Last reviewed and updated July 2020.
If you contact SMA UK Information and Support Services via our website, you are asked to consent to our holding and processing your information so that we can assist you with your enquiry. We give you the link to this notice so that you can read more about how we do this.
If you have contacted us by phone or another way, it’s not always easy or appropriate to interrupt you and ask you for your consent to hold and process your information. In this case, we initially use the General Data Protection Regulation (GDPR) test of whether we have a ‘legitimate interest’ which allows us to do this. This test is ‘are we using your personal data in a way that you would reasonably expect and which will have a minimal impact on your privacy?’ We believe the answer is ‘yes’. We do though prefer to have your active consent to hold your information so, if we have contact details for you, follow up with you later to give you this opportunity. You can read more about this here.
We hope our explanations below of what we do with your personal information, why and how, will reassure you our practices are lawful and of a high standard, but please don’t hesitate to get in touch and ask more questions if you wish. Please do share this notice with members of your family, especially if you are contacting us about a service for your child(ren) and they are of an age at which it is helpful to make them aware of the need to protect their privacy and personal information and ask questions about it (the GDPR suggests age 13+).
What information do we hold and why?
We record your contact information and brief details of your enquiry. We use this information to assist you with your enquiry. So that we can keep track of our contact with you and continue to help you, we record brief details of any phone calls and email / other exchanges we have.
If your contact with our service is for more than a ‘one off’ information call, we will need to gather and record relevant personal information about you and your family and the people who support you, so that we can provide you with the most effective support service. If you are an adult with SMA, this may include information about your SMA and how this impacts on you. If you are a parent, this may include information about your child(ren), their SMA and how this impacts on them and you
To work out how best to assist you, we may also, with your permission, need to gather information from other health and social care professionals supporting you. Your information may be shared within our Support Services Team.
We do our best to make sure your information is up to date and accurate. We rely on you to tell us if any of your contact details change. You can read more about this here.
Where do we keep your information?
Your information is kept securely on our database. You can read about how this is protected, here.
Who has access to this information?
Only staff working at SMA UK have access to this information. They have access to your support service record, your offers to help and your donations (if you have made them). However, all staff sign and adhere to a strict code of confidentiality and conduct which specifies that they must only access information that they ‘need to know’ to fulfil their job requirements.
Staff only access the parts of your record they need to fulfil their job requirement. They sign and adhere to a strict code of confidentiality and conduct which specifies that they must only access information that they ‘need to know.
Your personal information and any child’s personal information, will never be disclosed to anyone else unless it is necessary as part of our support service. You will always be asked if you agree to this. The only exception to this is if we are ever concerned that someone is a danger to themselves or others or we believe a child or adult is at risk of harm or we are required to do so by law.
If you are interested in clinical trials, you may have registered with the UK SMA Patient Registry. We keep in touch with the registry so that they can efficiently keep in touch with people. We let the Patient Registry Curator know if we have been told of a significant change in an adult/ child’s circumstances that will affect their participation in the Registry. We don’t share any other personal information with the Curator.
We produce statistical returns and reports about our services and the feedback we receive. Any information used in this way is always anonymous unless we have your permission to identify you.
How long do we keep your information?
If you no longer wish to have contact with us, we normally keep your and any child’s records for seven years. Our experience is that people often come back to us for further advice / support and it can be very helpful to have a record of previous contact, saving people a lot of time telling us about their situation. ‘Contact’ includes being in contact via our monthly E-news or our twice-a-year ‘SMA Matters newsletter – if you have chosen to ‘opt in’ to either of these. After this your record is deactivated. You can read more about this here.
Can you ask to see your information and check it is correct?
You may at any time ask to see copies of any information we hold about you. You may check it and ask for it to be corrected or deleted. We will respond promptly to your request, but if we were concerned that this could mean that someone would be a danger to themselves or others or we believed a child or adult is at risk of harm we may not be able to make the requested change. We would discuss this with you. You can read more about this here.
Last updated July 2020.
If you contact SMA UK via our website, you are asked to consent to our holding and processing your information so that we can respond to your offer to help us / process your donation. We give you the link to this notice so that you can read more about how we do this.
If you have contacted us by phone or another way, it’s not always easy or appropriate to interrupt you and ask you for your consent to hold and process your information. In this case, we use the General Data Protection Regulation (GDPR) test of whether we have a ‘legitimate interest’ which allows us to do this. This test is ‘are we using your personal data in a way that you would reasonably expect and which will have a minimal impact on your privacy?’
We hope our explanations below of what we do with your personal information, why and how, will reassure you, but please don’t hesitate to get in touch and ask more questions if you wish. Please do share this notice with members of your family, especially if you are contacting us and your child(ren) are going to get involved and are of an age at which it is helpful to make them aware of the need to protect their privacy and personal information and ask questions about it (the GDPR suggests age 13+).
What information do we hold and why?
We record your contact information and brief details of your enquiry. We use this information to respond to your offer of help / process your donation. So that we can keep track of our contact with you and continue to work with you, we record brief details of any phone calls and email / other exchanges we have.
We do our best to make sure your information is up to date and accurate. We rely on you to tell us if any of your contact details change.
Where do we keep your information?
Your information is kept securely on our computerised database.
If you make a donation, we use SagePay to securely process your card details. We meet the requirements of the Payment Care Industry Data Security Standard (PCI DSS). Your card details are not stored on any system. We securely store your contact information and details of the amount donated and when it was donated on our computerised database.
You can read more about the security of our systems and how this protects your information, here.
Who has access to this information?
Only staff working at SMA UK have access to information about your offer of help. They have access to your support service record (if you have one), your offers to help and your donations. However, all staff sign and adhere to a strict code of confidentiality and conduct which specifies that they must only access information that they ‘need to know’ to fulfil their job requirements.
Your personal information and any child’s personal information, will never be disclosed to anyone else unless it is necessary e.g. if you are taking one of our places in an event. You will always be asked if you agree to this. The only exception to this is if we are ever concerned that someone is a danger to themselves or others or we believe a child or adult is at risk of harm or we are required to do so by law.
If you have made a donation, your card details are not available to any member of staff.
How long do we keep your information?
If you are a donor, the Companies Act / Charities Act/ HMRC requires us to keep a record of your donation and related correspondence for 6 years.
Our experience is that people often come back to us with further offers of help and donations and it can be very helpful to have a record of previous contact, saving people a lot of time telling us about themselves. We normally therefore keep your and any child’s records for a bit longer than this – eight years since our last contact. ‘Contact’ includes being in contact via our monthly E-news or our twice-a-year ‘SMA Matters newsletter – if you have chosen to ‘opt in’ to either of these. After this your record is deactivated. You can read more about this here.
If you hold a Tribute (previously Angel Fund) or SMArt Fund (previously Inspirations Fund) so that all your fundraising is recorded to honour someone important to you, we may keep this open for longer. This is so that, if you decide to come back to fundraising after a break, all your information is still available to you.
Can you ask to see your information and check it is correct?
You may at any time ask to see copies of any information we hold about you. You may check it and ask for it to be corrected or deleted. We will respond promptly to your request, but if we were concerned that this could mean that someone would be a danger to themselves or others or we believed a child or adult is at risk of harm we may not be able to make the requested change. We would discuss this with you. You can read more about this here.
Last updated July 2020.
Our shop is always open and ready for your online order.
When you make your order, you are asked to consent to our holding and processing your information so that we can respond to your request. We give you the link to this notice so that you can read more about how we do this.
Your contact information and details of your order are stored carefully using our secure computerised database.
We use SagePay to securely process your card details. We meet the requirements of the Payment Care Industry Data Security Standard (PCI DSS). Your card details are not stored on any system and are not available to any member of staff.
You can read more about the security of our systems and how this protects your information, here.
Who has access to this information?
Only staff working at SMA UK have access to information about you and your order. All staff sign and adhere to a strict code of confidentiality and conduct which specifies that they must only access information that they ‘need to know’ to fulfil their job requirements.
Your personal information, will never be disclosed to anyone else unless it is required by law.
How long do we keep your information?
The Companies Act / Charities Act / HMRC require us to keep a record of your purchase and any related correspondence for 6 years.
Our experience is that people often come back to us to make further purchases, offer of help or make donations and it can be very helpful to have a record of previous contact, saving people a lot of time telling us about themselves. We normally therefore keep your record for a bit longer than this – eight years since our last contact. ‘Contact’ includes being in contact via our monthly E-news or our twice-a-year ‘SMA Matters newsletter – if you have chosen to ‘opt in’ to either of these. After this your record is deactivated. You can read more about this here.
Can you ask to see your information and check it is correct?
You may at any time ask to see copies of any information we hold about you. You may check it and ask for it to be corrected or deleted. You can read more about this here.
Last updated July 2020.
When you sign up for mailings we respectfully take note of the options you have chosen and only contact you in the way you have requested.
We securely store your contact information and details using our computerised database. You can read more about this here.
We store your information for up to 8 years. You can read more about this here.
You may at any time ask to see copies of any information we hold about you. You may check it and ask for it to be corrected or deleted. You can read more about this here.
Last updated May 2020.
Our website has links to other websites of interest.
Once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites. Such sites are not governed by this privacy statement. We suggest you exercise caution and look at the privacy statement applicable to the website in question.