Privacy Notice

We are committed to protecting your personal information and being transparent about what we do with it, no matter how you interact with us. That’s whether you want to work, volunteer or advocate for us, donate, buy goods, or use our services, want information, training or want to learn more about what we do.

Find out how we use your information, whether you're an applicant, volunteer, or employee.

We are committed to using your personal information in accordance with our responsibilities. We are required to provide you with the information in this Privacy Notice under applicable law which includes:

  • UK General Data Protection Regulation (‘UK GDPR’) and the Data Protection Act 2018 (‘DPA’) referred to as the ‘data protection legislation’
  • the Privacy and Electronic Communications Regulation (2003)

We will not do anything with your information you would not reasonably expect.

Processing of your personal information is carried out by or on behalf of the British Red Cross Society, incorporated by Royal Charter 1908; registered as a charity in England and Wales (220949), Scotland (SC037738), Jersey (430) and the Isle of Man (0752); and Britcross Ltd registered as a company in England and Wales (00932598) (collectively ‘British Red Cross’).

This notice, together with our website terms and conditions and our cookies policy tells you about how we collect, use, and protect your personal information.

If you have any queries about our Privacy Notice, please get in touch with our Information Governance team:

Email dataprotection@redcross.org.uk
Phone 0344 871 1111
Post

Head of Information Governance
British Red Cross
44 Moorfields
London
EC2Y 9AL


How and when we collect information about you

When you directly give us information

We may collect and store information about you when you interact with us. For example, this could be when you:

  • support our work through a donation
  • fundraise on our behalf
  • register for an event
  • tell us your story
  • buy goods from our online shop
  • submit an enquiry
  • register for or use our services
  • participate in our training
  • give us feedback
  • make a complaint
  • use one of our apps
  • apply for a job
  • register as a volunteer
  • enter into a contract with us
  • are captured by CCTV recording.

When you indirectly give us information

When you interact with us on social media platforms such as Facebook, WhatsApp, Twitter, or LinkedIn we may also obtain some personal information about you. The information we receive will depend on the privacy preferences you have set on each platform and the privacy policies of each platform. To change your settings on these platforms, please refer to their privacy notices.

We may obtain information about your visit to our site, for example the pages you visit and how you navigate the site, by using cookies. Please visit our cookies policy for information on this.

What information we might collect

When you engage with us by phone, mail, in person or online, we may collect information about you (referred to in this Privacy Notice as 'personal information'). This may include your name, address, email address, telephone number, date of birth, job title and details of your education and career, why you are interested in British Red Cross, and other information relating to you personally which you may choose to provide to us.

Data protection law recognises that certain types of personal information are more sensitive. This is known as 'sensitive' or 'special category' personal information and covers information revealing racial or ethnic origin, religious or philosophical beliefs and political opinions, trade union membership, genetic or biometric data, information concerning health or data concerning a person's sex life or sexual orientation.

Sensitive information will only be collected where necessary, for example, we may need to collect health information from you when you register for a challenge event or to deliver a community service as a volunteer or member of staff. Clear notices will be provided at the time we collect this information, stating what information is needed, and why.

With your explicit consent, we may also collect sensitive personal information if you choose to tell us about your experiences relating to our services for use in a case study.

If you're under 16

If you're aged under 16, you must get your parent/guardian’s permission before you provide any personal information to us.

How and why we use your information

We will use your personal information for the following purposes:

  • Donation processing: We will process personal information you provide in order to administer any one-off or on-going donations you make and claim Gift Aid.
  • Responding to a request: If you contact us with a query, we may use your personal information to provide you with a response.
  • Fundraising or direct marketing: We will only send you marketing information by email, SMS, or phone if you have given us specific consent. If you withdraw your consent and then subsequently opt in to receive marketing information again, then your most recent preference may supersede. If you make a donation, you may also receive fundraising appeals by post, which you can opt out of at any time.
  • Monitoring and Evaluating: We may use your information in order to improve current and future delivery of our services.
  • Co-production: We may invite you to participate in projects or initiatives that enable you to help develop or review our services, or shape our research, media, policy, and advocacy activity. Participation is always voluntary. Your decision whether to participate will not affect you accessing a British Red Cross service. No individuals will be identified as participating in co-production projects unless they explicitly consent to this.
  • Family Reunion: As part of our International commitment to reuniting families separated by armed conflict or other situations of violence; natural or man-made disasters; migration; we may review the data we already hold on our systems in order to establish a link. Once identified we will only share this information if we have your explicit consent. 
  • Processing an application to work with us and obtaining/providing references: If you apply to work with us, we will need to process your personal data, including, for example, identification data (e.g., name, nationality, national insurance number and bank details), contact details, education and work experience, information collected as part of your interview process, background check information and/or other application data.  We may also need to process sensitive personal data about you such as health and medical data, criminal records data, and race/ethnicity data.  
     
    We will use this data to process your application, to determine your eligibility for the role you have applied for, to comply with the law and our obligations, to communicate with you and third parties and/or to carry out background checks.  

    For certain roles, we may be required to carry out a check under the Inter-Agency Scheme for the Disclosure of Safeguarding-related Misconduct in Recruitment Process within the Humanitarian and Development Sector (the 'Misconduct Disclosure Scheme')  The purpose of the Misconduct Disclosure Scheme is to enable participating humanitarian, development and other civil society organisations to share relevant information about people who have found to have been involved in or committed sexual exploitation, sexual abuse or sexual harassment during employment or in a governing role, for the purpose of making informed recruitment/appointment decisions.  More details about the Misconduct Disclosure Scheme are available on the Steering Committee for Humanitarian Response website.  

    If you apply for employment with the British Red Cross, we may need to request references under the Misconduct Disclosure Scheme from organisations you have previously worked for.  Likewise, if you leave the British Red Cross and apply for a role elsewhere, the organisation you have applied to work for may ask us for a reference under the Misconduct Disclosure Scheme.  Making or responding to such a request would involve us processing your personal data, and potentially also sensitive personal data (such as criminal records data and/or sexual life data).

    The British Red Cross relies on "legitimate interests" for processing personal data in relation to the Misconduct Disclosure Scheme.  In other words, we consider that the processing is necessary for the purposes of legitimate interests pursued by the British Red Cross and other organisations who participate in the Misconduct Disclosure Scheme, as well as the legitimate interests of the individuals and communities that those organisations serve, and those legitimate interests are not overridden by the interests and fundamental rights and freedoms of the data subject.  

    In relation to any special category data which is processed, we consider that the processing is "necessary for reasons of substantial public interest", in particular for preventing or detecting unlawful acts and/or safeguarding of children and of individuals at risk.

    If you are unsuccessful in applying for a job with us, we may hold your personal information after we've finished recruiting for the post you applied for, for up to 12 months to deal with any follow up queries or issues.

    We keep statistical information about all applicants to develop our recruitment processes however no individual applicant would be identifiable from this information.

    If you commence employment with the British Red Cross, your personal information will be processed in accordance with your employment contract and other applicable human resources policies we have from time to time.
  • Transactional purposes: We will need to use your personal information in order to carry out our obligations arising from any contracts entered into between you and us for goods or services, for example, processing your order and payment for a product from our online shop.
  • Providing and developing our website: We may use your personal information to help provide you with access to our website, personalise your experience, and improve and develop it further.
  • Administration: We may use your personal information to record and deal with a complaint, record a request not to receive further marketing information, record what our volunteers have done for us, and for other essential internal record keeping purposes.
  • Prevention of crime: We may record your image on CCTV which we use to prevent crime and keep our people and the public safe.
  • Protecting your vital interests: We may process your personal information where we reasonably think that there is a risk of serious harm or abuse to you or someone else.
  • Market research and surveys: We may invite you to participate in surveys or market research to help us improve our website, fundraising, services, and strategic development. Participation is always voluntary, and no individuals will be identified as a result of this research, unless you consent to us publishing your feedback.
  • Legal, regulatory and tax compliance: Where required we are subject to a legal obligation, we may process your personal information to fulfil that obligation.
  • Profiling and analysis: We may occasionally for the purposes of our legitimate interests use your personal information to conduct profiling of our supporters or potential supporters. This will help us target communications in a more focused, efficient, and cost-effective way, helping us reduce the chances of supporters and potential supporters receiving inappropriate or irrelevant communications. You can object to such use of your personal information for profiling at any time by contacting us at the details set out at the end of this Privacy Notice.

Our profiling and analysis activities can be broken into five categories:

1. Data matching

We may combine the personal information you have given us with data obtained from external sources, such as the Office for National Statistics, to infer the likely social, demographic, and financial characteristics, so we can tailor our communications and services to better meet your needs or the needs of others like you based on the insight we gain from the profile we build. We will not use the results of this data matching activity in a way that intrudes on your privacy or your previously expressed privacy preferences.

2. Segmenting

We conduct analysis of supporters by group, post code or particular area where supporters may be based. This is to ensure that campaigns or mailings are sent to those who will be most interested or likely to respond. This type of activity is not aimed at identifying specific individuals to target, but rather many individuals who may fall within a certain segment of supporters.

3. Major donor analysis

We may carry out research to determine whether an individual could be a potential major donor. The major donor analysis could extend to individuals who work at our corporate partners and doing research into their role. We may use publicly available information from third party sources such as Google and Companies House, published biographies, and publicly available LinkedIn profiles. The type of information we collect can include:

  • career overview
  • gift capacity
  • areas of interest 
  • history of giving to us and others
  • how the individual is connected with us and others
  • public information on any philanthropic activities.

4. High value event planning

We may also use profiling to produce short biographies of people who are due to meet with our leadership or attend an event that we may be hosting.

This helps our people to understand more about those we engage with, and their interests or connection to us.

Company Prospecting: We may carry out research to identify companies that have the potential for corporate partnerships with British Red Cross. We may use publicly available information from third party sources such as Google and Companies House, published biographies about executive board members, and publicly available LinkedIn profiles, as well as third party providers of company information, like Pearlfinders, who provide information about companies and individuals who work within them who have an interest potential in charitable partnerships.

5. Ethical screening and minimising risk

As a registered charity, we are subject to a number of legal and regulatory obligations and standards. The public naturally expect charities to operate in an ethical manner and this is integral to developing high levels of trust and demonstrating our integrity.

This means that we may carry out appropriate due diligence of donors, check donations and implement robust financial controls to help protect the charity from abuse, fraud and/or money laundering.

We may carry out background checks and due diligence on potential donors or anyone planning on making a significant donation or gift before we can accept it.

We may also ethically screen supporters to minimise risk of creating an association with an individual or group that conflicts with the standards we have set out in our overarching ethical policy.

Who do we share your information with?

We will only use your information for the purposes for which it was obtained. We will not, under any circumstances, sell or share your personal information with any third party for their own purposes, and you will not receive marketing from any other companies, charities, or other organisations as a result of giving your details to us.

We will only share your data for the following purposes:

  1. Third party suppliers: We may need to share your information with data hosting providers or service providers who help us to deliver our services, projects, or fundraising activities and appeals. These providers will only act under our instruction and are subject to pre-contract scrutiny and contractual obligations containing strict data protection clauses.
  2. Where legally required: We will comply with requests where disclosure is required by law, for example, we may disclose your personal information to the government for tax investigation purposes, or to law enforcement agencies for the prevention and detection of crime. We may also share your information with the emergency services if we reasonably think there is a risk of serious harm or abuse to you or someone else.

We always aim to ensure that personal information is only used by those third parties for lawful purposes in accordance with this Privacy Notice.

How we protect your information

We use technical and corporate organisational safeguards to ensure that your personal information is secure. We limit access to information on a need-to-know basis and take appropriate measures to ensure that our people are aware that such information is only used in accordance with this Privacy Notice.

We undertake regular reviews of who has access to information that we hold to ensure that your information is only accessible by appropriately trained staff, volunteers, and contractors.

Our online forms are always encrypted, and our network is protected and routinely monitored.

If you use your credit or debit card to donate to us, buy something or make a booking online, we pass your card details securely to our payment processing partners. We do this in accordance with industry standards and do not store the details on our website.

However, please be aware that there are always inherent risks in sending information by public networks or using public computers and we cannot 100% guarantee the security of data (including personal information) disclosed or transmitted over public networks.

Vulnerable circumstances

We understand that additional care may be required when we collect and process the personal information of vulnerable supporters and volunteers. In recognition of this, we observe good practice guideline in our interactions with vulnerable people.

How long will we keep your information?

We will keep your personal information in respect of financial transactions for as long as the law requires us to for tax or accounting purposes (which may be up to six years after a particular transaction).

If you request that we stop processing your personal information for the purpose of marketing, we may in some instances need to add your details to a suppression file to enable us to comply with your request not to be contacted.

In respect of other personal information, we will retain it for no longer than necessary for the purposes for which it was collected, taking into account guidance issued by the Information Commissioner’s Office.

International transfers of information

We may, on occasion decide to use the services of a supplier outside the European Economic Area (EEA), which means that your personal information is transferred, processed, and stored outside the EEA. You should be aware that, in general, legal protection for personal information in countries outside the EEA may not be equivalent to the level of protection provided in the EEA.

However we take steps to put in place suitable safeguards to protect your personal information when processed by the supplier such as entering into the International Data Transfer Agreement and Addendum. When we transfer your personal information and process it in the United States, we do so in accordance with the International Data Transfer Agreement and Addendum. By submitting your personal information to us you agree to this transfer, storing or processing at a location outside the EEA.

Your rights to your personal information

Data protection legislation gives you the right to request access to personal information about you which is processed by the British Red Cross and to have any inaccuracies corrected.

You also have the right to ask us to erase your personal information, ask us to restrict our processing of your personal information or to object to our processing of your personal information.

If you wish to exercise these rights, please complete this request form (PDF), and send it along with copies of two separate identification documents which provide photo identification and confirm your address, such as a passport, driving licence, or utility bill.

Please also provide any additional information that is relevant to the nature of your contact with us, as this will help us to locate your records.

You can send us the documents via post to:

Information Governance Team
British Red Cross
44 Moorfields
London
EC2Y 9AL

Alternatively email a copy of the form along with scans or photos of your two forms of identification to: dataprotection@redcross.org.uk.

We will respond within 30 days, on receipt of your written request and copies of your identification documents.

How to make a complaint or raise a concern

If you would like more information, or have any questions about this policy, to make a formal complaint about our approach to data protection or raise privacy concerns please contact the Information Governance Team:

Email dataprotection@redcross.org.uk
Phone 0344 871 1111
Post

British Red Cross
44 Moorfields
London
EC2Y 9AL

If you would like to make a complaint in relation to how we have handled your personal information, please follow our complaints procedure. If you are not happy with the response you receive, then you can raise your concern with the relevant statutory body:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Alternatively, you can visit their websiteWe are registered with the Information Commissioner’s Office as a Data Controller under number Z5379882.

NHS data security and protection toolkit

The British Red Cross uses the NHS data security and protection toolkit every year to ensure that our data is held against the National Data Guardian’s ten data security standards.

Changes to our Privacy Notice

Our Privacy Notice may change from time to time, so please check this page occasionally to see if we have included any updates or changes, and that you are happy with them.

(Last updated: 25 November 2022)