Hello, we’re the National Society for the Prevention of Cruelty to Children, though you probably know us as the NSPCC. We're the leading children's charity fighting to end child abuse in the UK, Channel Islands and Isle of Man. We help children who have been abused to rebuild their lives, protect those at risk, and find the best ways of preventing abuse from ever happening.
Safety is at the heart of everything we do. Our mission is to keep children safe across the UK – it’s what drives all our work. But, as one of our valued supporters, service users or affiliates that also extends to keeping your personal information safe. At the NSPCC we value anyone who comes into contact with us and we’re committed to protecting your privacy so we make sure we protect any of your personal data that we have.
The NSPCC is registered under the Data Protection Act 2018 under number Z6593104 and for the purposes of this policy is the Data Controller. Our registered charity numbers are 216401 in England and Wales and SC037717 in Scotland. The NSPCC Trading Company Ltd. (registered Company in England & Wales no. 890446) is a wholly owned subsidiary of ours which trades on our behalf. We have appointed a DPO at DPO Centre Limited, 50 Liverpool St, London EC2M 7PY
Below we have answered a range of questions to help you better understand how we protect your personal data.
Personal data is any information that can be used to identify you or another living individual. So for example, if you donate money, use our services or visit our offices, request our products, or become involved in our campaigns or volunteering work, we will collect and process the personal data that you’ve provided.
We may also collect personal data from you when you report a problem with our website, if you complete a survey which we use for research or evaluation purposes, or if you give us your details as part of a report to our Helpline or when you give us feedback or contact us (see below for more information).
We may collect the following personal data:
- Basic personal details (your name, email address, postal address, telephone or mobile number and date of birth)
- Financial details (bank account number, UK tax payer information for gift aid)
- Credit or debit card information
- IP address
- Photos, videos or audio recordings used as part of our work with you
- CCTV which is in use at various NSPCC premises.
We may also collect, store and use the following 'special categories' of more sensitive personal data which require a higher level of protection, called a 'condition of processing'. We will not process any of the following special categories of data without a condition of processing:
Information about your race or ethnicity, philosophical or religious beliefs, sexual orientation and political opinions:
- Trade Union membership
- Information about your helath, including any medical condition, health and sickness records
- Information about criminal convictions.
We also collect more technical data which may identify your device or web browser, relating to details of your visits to our website, for example location data, how you found us and the resources accessed on our website. We use this to provide you with the information, services or products that you’re interested in and are most relevant to you.
This data is collected by cookies, which are small files stored on your computers’ or mobile devices’ web browser. Our site uses these cookies to keep you logged in as you move around the site, to provide some of our content, and to monitor the websites’ performance. This helps us make the website better for you and for others.
To understand how we use information about the communications devices you use, such as IP address (the location of the computer on the internet) and cookies, please see our Cookies policy page. This page also provides information on how you can prevent or control the cookies that are stored on your computer or device web browser via our cookies management tool, as well as remove them completely.
There are a number of ways that we may use your personal data in accordance with the lawful basis described in 'Our lawful bbasis for processing your personal data' below. The following are the ways we use your personal data for our core activities:
- To provide you with information (such as fundraising or campaigning activities), services or products you’ve requested or which we feel may interest you. When you interact with an email sent from the NSPCC, such as opening an email or clicking on a particular we link, we will receive information about that interaction. We use this information to ensure that we understand how our campaigns are being received, as well as to ensure that we continue to act in accordance with how you've chosen to hear from us. We may also permit selected third parties to provide you with information on our behalf. But all this will only happen when you’ve consented to this. For more information, please see “Sharing your information with third parties” below.
- To provide key services for safeguarding of children as part of children’s and national services. This could include the collection of ethnicity and health data. This helps us ensure that we are able to effectively assess the needs of all individuals so that we can work with the most appropriate agencies, and ensures that our services reach the right people.
- To enable us to support you in our work with you. Sometimes we may use mobile phones, cameras or laptops for filming, voice recording or slideshows as part of our work with you. These may be used to improve your relationships or help you understand our work better, and may also be used to help our workers learn how to support you better.
- To evaluate and improve our fundraising activities as well as the services we provide to children and families. This could be analysing demographics to inform our campaign, marketing and service provision strategies. This helps us ensure we understand how effective our services are and ensures we spend our charitable donations in the most effective way. If you start using an NSPCC service, we may continue to use your data for evaluation purposes, but this will be in statistical form and will not identify you as an individual.
- To analyse and improve the services offered on our websites. This means we can provide you with the most user-friendly navigation experience we can, which may involve providing your information to third parties.
- To allow you to participate in interactive features on our website, when you choose to do so. For example, we may help you auto-complete forms by inserting your contact details for you to edit.
- To use your IP addresses to identify relevant information. This may include information such as your approximate location. It also helps us to block disruptive use or establish information like the number of visits to the website from different countries.
- To make our marketing campaigns more targeted and relevant to potential donors and customers.
- To record and respond to any compliments, comments or complaints from supporters or service users and to appropriately investigate and implement necessary changes. All feedback helps us to learn and to improve what we do. For more information please read our Compliments, Comments and Complaints policy.
- To conduct prospect research. For more information please see the Prospect research section below.
- To promote our activities. Where you have given us your consent we may use photos of you, or testimonials, for promotional activities and communications.
- To match information collected from you through different means or at different times. That could include using information collected online and offline, along with information obtained from other sources, including third parties and publicly available sources, to ensure that the information we hold about you is up to date and accurate. These include third parties such as BT OSIS, Post Office Address File and Experian Quick Address.
- To assess your suitability for a role at the NSPCC as an employee or a volunteer. This may involve conducting internal searches against our database as part of the application process.
- To protect staff and visitors to NSPCC sites.To protect staff, visitors and to protect the organisation against theft, some sites will have CCTV installed.
Some of these activities may also involve ‘automated decision-making’. However, you have the right to object to the use of your personal data for profiling and automated decision-making processes. For information on how to exercise these rights, please see the section on ‘Your Rights’ below.
Automated decision-making takes place when an electronic system uses personal data to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:
- Where we have notified you of the decision and given you 21 days to request a reconsideration
- Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights
- In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights.
If we make an automated decision on the basis of any particularly sensitive personal data, we must have either your explicit written consent or it must be justified in the public interest, and we must also put in place appropriate measures to safeguard your rights.
You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.
If you wish to change or update your consent for direct marketing you can contact our Supporter Care team. Please see 'Complaints' below.
Our researchers use personal data, including sensitive personal data, in their research activities. This might include research such as evaluating our services such as Speak Out Stay Safe or commissioning research to help us understand what parents of disabled children want to help keep their children safe from sexual abuse. Research allows us to ensure our services, programmes and campaigns support children and families as effectively as possible, effectively scale up our services, and identify additional areas for research, campaigns and programme development. We don't seek consent to use your personal data for this purpose, but rely on legitimate interests as our lawful basis. For our research activities, we ensure that we have conducted an assessment to ensure that our interests as a charity have not outweighed your rights and freedoms as an individual.
We conduct prospect research to identify people who may be interested in supporting the NSPCC with a major gift. We do this by analysing the information we hold on current or past supporters, as well credible sources in the public domain, to find people who we believe have the capacity and propensity to support us at this level. To help us make these decisions, we have developed a scoring system that we use to calculate how likely a person is to donate a major gift, and the level of support they could provide. This enables us to prioritise our resources and ensure that the funding proposals that we develop are appropriately tailored as we seek to generate support for ending child abuse.
We only use information from credible sources in the public domain, and we never use third parties to conduct research on our behalf. We do not seek consent to conduct this research, but rely on legitimate interest as our lawful basis. If we do conduct research on you we will notify you at the first available opportunity so that you have the opportunity to view the information we have collected along with any score that we have applied to your record and request its deletion. If we are unable to notify you within six months, then our policy is to proactively delete this information from our records.
Data Protection law requires us to have a reason or justification, also known as a ‘lawful basis’, for using any of your personal data:
This is where we've asked for your permission to use your personal data in a specific way, and you've agreed. For example to send you marketing via email or SMS.
We may process your personal data as part of an agreement you have with us. For example if you work for us or if you purchase something from our online shop.
We may collect or share your personal data where we are required to do so by law. For example to fulfil a regulatory requirement or for fraud detection.
Where there's an immediate risk to your health we may use your personal data. For example if we're concerned for your health or safety at one of our fundraising events.
Some activities are undertaken in the public interest. For example collecting personal data in relation to safeguarding concerns raised via the NSPCC Helpline.
Our legitimate interest is in engaging with the public to further our charitable aims.
Whenever we use this justification we will always conduct a balancing exercise to ensure that we consider the impact on you as an individual to ensure that our interests are not overridden by the impact on you. Some examples of activities where we rely on legitimate interests are:
- Sending you direct marketing via post;
- Conducting research to better understand our supporters and improve the services we offer to families;
- The use of CCTV in certain NSPCC offices for monitoring and security purposes;
- Sharing personal data amongst relevant teams within the NSPCC to ensure we communicate with our supporters in the most effective way;
- Purchasing marketing lists to promote our professional services via email to those who work directly or indirectly with children and young people;
- Handling any compliments or complaints in line with our policy.
We will not rent or sell your personal data to other organisations for use by them in any way, including in their own direct marketing activities.
Should you decide to participate in NSPCC Virtual Training this may be via an online platform such as Zoom. You will need to sign up to the service and this will be subject to Zoom’s own Privacy Notice which you will find at https://zoom.us/privacy.
Sometimes we cannot keep information confidential as we need to ensure all children, young people and vulnerable adults are safe. This means that if you tell us anything about yourself or another person being hurt or at risk of being hurt we might need to tell someone who can help (such as a social worker, parent or teacher). Sometimes the court might order us to share information and you might ask us to share information on your behalf.
If your local authority or another agency, such as your school or the police, have asked us to work with you we will need to gain information from them about you and share information with them and then we will need to let them know the outcome of our work. We will tell you who we are sharing your information with and why, unless it is a concern as mentioned above or we do not think it is safe to do so.
Sometimes we might want to tell your carer, social worker or someone else about how things are going while you are working with us, but we will always check this out with you first, unless we think it is not safe to do so.
We may ask you to complete a checklist which we send to another organisation, once we have removed any information that could identify you, and they provide us with a report to help us understand what will help you best.
However, where you have given us permission to contact you, we may pass on your data to external service providers to contact you on our behalf. For example, we may pass on your personal information to telemarketing companies such as DTV Optimise or Mango to conduct campaigns on our behalf.
We may ask external service providers to carry out tracking and analysis on our behalf as described in the cookies policy. For instance, we may pass on hashed out digital data (such as IP addresses) to our media agency OMD to monitor how well our campaigns are performing.
Where we use an external service provider to act on our behalf, we will disclose only the personal data necessary to deliver the service and will have a contract in place that requires the provider to comply with NSPCC data protection and information security requirements.
Sharing with Joint Controllers
The NSPCC uses the Facebook Pixel cookie on this Site for the purposes of the remarketing, analysis and reporting of NSPCC advertising campaigns as described below in “Remarketing” and in the NSPCC’s Cookies Policy. Use of this tool means that information about pages you have visited on this Site and your IP address will be shared with Facebook who subsequently serve you advertising on Facebook based on this information.
It should be noted that for the purpose of these “Joint Processing” activities we are required by Facebook Ireland to provide you with the following information:
- Facebook Ireland is a Joint Controller of this Joint Processing and that the information required by Article 13(1)(a) and (b) GDPR can be found in Facebook Ireland's Data Policy at https://www.facebook.com/about/privacy.
- The information that the NSPCC’s uses Applicable Products as well as the purposes for which the collection and transmission of Personal Data that constitutes the Joint Processing takes place as set out in the Applicable Product Terms is described above.
- Further information on how Facebook Ireland processes Personal Data, including the legal basis Facebook Ireland relies on and the ways you may exercise your rights as a data subject against Facebook Ireland, can be found in Facebook Ireland's Data Policy at https://www.facebook.com/about/privacy.
In addition, please note that:
- The NSPCC and Facebook Ireland have:
- entered into A Controller Addendum to determine their respective responsibilities for compliance with the obligations under the GDPR with regard to the Joint Processing of the use of the Applicable Products (Facebook Pixel cookies) and the personal information derived from them;
- agreed that NSPCC are responsible for providing Data Subjects as a minimum with the information required under article 13 GDPR (see information provided above); and
- agreed that Facebook Ireland is responsible for enabling your rights as a data subject under Articles 15-20 of the GDPR with regard to the Personal Data stored by Facebook Ireland after the Joint Processing.
We always have your best interests at heart and your personal data will not be retained by the NSPCC for longer than necessary in relation to the purposes for which it was originally collected, or for which it was further processed.
We're legally required to hold some personal data to fulfil statutory obligations. For example the collection of Gift Aid or to support certain financial transactions. We may be asked to keep records for longer periods or receive statutory instruction not to delete records.
If you've used any of our services supporting children and families, for example Baby Steps or Letting the Future In, we will make notes of the work we do. We will keep these notes for 25 or 75 years depending on the nature of our work and your circumstances. For more information, or to request a copy of our data retention policy, please contact our Data Protection team at firstname.lastname@example.org.
Please see the ‘Sharing your information with third parties, keeping your information safe’ section for further details on data processing of the Facebook Pixel.
We want to ensure that we provide you with information that is relevant to you. In order to do this, we may need to analyse the information we hold on you for supporter analysis and data quality purposes. This analysis includes modelling (e.g. how likely you are to respond to the invitation) and segmenting (looking at people who are similar to you), so that you receive targeted and relevant communication.
This ensures we can spend our charitable donations effectively to obtain the biggest impact for children. Additionally, as our data is captured from various different sources (e.g. donation or through our website, campaign data), for data quality purposes we will analyse your data to ensure we do not have unnecessary multiple versions of information on the same person on our database.
In carrying out the above activities, we may from time to time use publicly available information or information gathered from specialist companies. These include Directory of Social Change and UKChanges; companies that collate and analyse information from public registers to help ensure we have accurate and up to date information about our supporters. These companies may have obtained this information directly from you and in circumstances where you legitimately expect that they will pass on your information to other entities.
We will only use data collected in this manner for purposes to which you have consented or, if this is not reasonably practical, where we believe it is reasonably necessary to process your personal data for the purposes for which it has been provided. Throughout all of this we will always ensure that the privacy and security of your personal data is protected.
The NSPCC will ensure that when collecting information such as debit cards, credit cards or personal data that this done so securely. We and our partners use TLS (Transport Level Security) to encrypt data sent between the customer and us or our partners.
The NSPCC is PCI compliant and uses external Payment Card Industry (PCI) compliant providers to collect this data on our behalf. We do not store PCI data on our own systems.
To protect yourself when sending us sensitive information, please ensure that you use devices running supported operating systems that are regularly patched, and incorporate some form of malware protection. Only connect your devices to networks that you trust.
Where we have given you (or where you have chosen) a password which enables you to access certain parts our website, you are responsible for keeping the password confidential. You agree not to share that password with anyone else.
The personal data collected from you may, in very rare circumstances, be transferred to, and stored at, a destination outside the European Economic Area ("EEA"). It may also be processed by individuals operating outside the EEA who work for us or working on our behalf. This includes staff engaged in, among other things, the processing of your payment details and the provision of support services.
By submitting your personal data, you agree to this transfer, storing and processing at a location outside the European Economic Area. Where data is transferred outside the EEA, we have gone through a full due diligence process to help ensure the data is afforded the same levels of security. In addition, we will ensure that the transfer of data outside the EEA is undertaken in a manner that is legally compliant and in a way that is consistent with and which respects EU and UK laws on data protection.
Unfortunately, the transmission of information via the Internet is never 100% secure and we cannot guarantee the security of your data transmitted to our website. This means any such transmission is at your own risk.
To make sure we always have the most up-to-date information about how to contact you, we may also, from time to time, update your records to reflect any changes to your personal data.
This information may come directly from you, or it may come from a third party that we consider is legitimate and trustworthy and in circumstances where it is appropriate and where you will have had a clear expectation that your details would be passed on for this purpose.
We may also combine the information you provide us with information we collect from trusted third parties and partners such as business partners, sub-contractors, advertising networks, analytics providers, search information providers, credit reference agencies as well as publicly available sources. These third parties include, UKChanges, Post Office Address File and Experian Quick Address.
For more information on cookie files and IP addresses read our cookies policy. This page also provides information on how you can prevent or control the cookies that are stored on your computer or device web browser, as well as remove them completely. This also provides information on how you can prevent or control cookies from being stored on your device or web browser by using our cookies management tool, as well as how to remove them completely.
If you'd like to access any of your rights, please contact us using the information below.
a. Right to access your personal data
You have the right to access the personal data that we hold about you in many circumstances, by making a request. This is sometimes termed ‘Subject Access Request’. If we agree that we are obliged to provide personal data to you (or someone else on your behalf), we will provide it to you or them and aim to do so within 30 days from when your identity has been confirmed. No administration fee will be charged for considering and/or complying with such a request unless the request is deemed to be excessive in nature.
We would ask for proof of identity and sufficient information about your interactions with us that we can locate your personal data.
b. Right to correct your personal data
If any of the personal data we hold about you is inaccurate or out of date, you may ask us to correct it.
If you would like to excercise your right, please contact us as set out below.
c. Right to stop or limit our processing of your personal data
You have the right to object to us processing your personal data for particular purposes, to have your information deleted if we are keeping it too long or have its processing restricted in certain circumstances.
If you would like to exercise this right, please contact us as set out below.
d. Right to stop or limit our processing of your personal data
You have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.
If you would like to exercise this right, please contact us as set out below.
e. Right to portability
The right to portability gives you the right to receive personal data you have provided to a controller in a structured, commonly used and machine readable format. It also gives them you the right to request that a controller transmits this data directly to another controller.
If you would like to exercise this right, please contact us as set out below.
You can make any of the above requests by emailing email@example.com or by writing to:
Data Protection Officer
42 Curtain Rd
We want to make sure that your personal data is accurate and up to date. You may ask us to correct or remove information you think is inaccurate.
You can also find out more about what to expect if someone has made a report about you and how you can access your information on our report abuse page.
Read our guide to accessing your personal data (PDF, 303KB)
If you're concerned about the way your personal data is handled, please contact the Data Protection team at firstname.lastname@example.org.
If you would like to change the way we contact you please contact our Supporter Care team on 020 7825 2505 or emailing us at email@example.com.
The Information Commissioner's Office (ICO) regulates data protection and privacy matters in the UK. They make a lot of information accessible to consumers on their website and they ensure that the registered details of all data controllers such as ourselves are available publicly. You can access them here: https://ico.org.uk/for-the-public.
You also have the right to contact the Information Commissioner’s Office on 0303 123 1113, via their website www.ico.org.uk or via post:
Information Commissioner’s Office