Privacy notice

At Young Epilepsy we're committed to protecting your privacy and personal information. We want to be completely transparent about why we need the personal information we request and how we will use it. Please find more information in our privacy notice.

This Privacy Notice applies to all members of the public who engage with us in any way. Please note that our policies may vary depending on other relationships you have with the organisation, such as if you are applying for a job, supporting our fundraising, are part of the E-CURe (research) network, or are using our health services (assessment, diagnostics or rehabilitation). Please check the relevant sections below if you are in one of these special groups.

Staff and volunteers, including Trustees, can find their privacy notices in the relevant handbooks provided to them when they start working with us.

If you have any questions in relation to this privacy notice or how we use your personal data, please contact our Data Protection Officer: 

Email: dpo@youngepilepsy.org.uk

Post: Data Protection Officer, Young Epilepsy, St Piers Lane, Lingfield, Surrey RH7 6PW

At Young Epilepsy we're committed to protecting your privacy and personal information. We want to be completely transparent about why we need the personal information we request and how we will use it. Please find more information in our privacy notice.

This Privacy Notice applies to all members of the public who engage with us in any way. Please note that our policies may vary depending on other relationships you have with the organisation, such as if you are applying for a job, supporting our fundraising, are part of the E-CURe (research) network, or are using our health services (assessment, diagnostics or rehabilitation). Please check the relevant sections below if you are in one of these special groups.

Staff and volunteers, including Trustees, can find their privacy notices in the relevant handbooks provided to them when they start working with us.

If you have any questions in relation to this privacy notice or how we use your personal data, please contact our Data Protection Officer: 

Email: dpo@youngepilepsy.org.uk

Post: Data Protection Officer, Young Epilepsy, St Piers Lane, Lingfield, Surrey RH7 6PW

Young Epilepsy strives to meet the highest standards when collecting and using personal information. We are are committed to upholding the standards and regulations embodied in the Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR). Personal data will therefore at all times be:

  • Processed lawfully, fairly and in a transparent manner
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  • Accurate and, where necessary, kept up to date
  • Kept in a form which permits identification of individuals for no longer than is necessary for the purposes for which the personal data are processed
  • Processed in a manner that ensures appropriate security

Young Epilepsy will be responsible for, and be able to demonstrate compliance with, the DPA 2018 and the UK GDPR.

Here is a list of the rights that all individuals have under the General Data Protection Regulation (GDPR) and the Data Protection Act (2018). They don't apply in all circumstances. If you wish to use any of them, we'll help you as much as possible.

You have the right to:

  • Be informed (the purpose of this Privacy Notice)
  • Access your information
  • Rectify inaccurate or incomplete data
  • Request the erasure of your information
  • Restrict how your data is processed
  • To object to the use of your information
  • Certain protections when your data is used for automated decision making and profiling

There is an additional right regarding data portability, but Young Epilepsy will not undertake data portability.

Should you wish to exercise any of these rights please contact us, using the details provided at the end of the document.

We may collect the personal data you give us when you use our services, contact us, donate or complete online forms or when you use other platforms such as Just Giving or Much Loved. This data may include your name, title, address, date of birth, age, gender, email address, telephone numbers, personal description, photographs and CCTV images. We'll only collect the personal data that we need to fulfil the purposes of this notice.

You may provide personal data if you take part in a survey or a piece of research.

You may provide us with your personal details for a case study or you may share your personal story with us.

Some of the information we hold on you  may be anonymised, so that we can share it more widely or retain it for longer periods. You will not be identifiable in these records.

Young Epilepsy may collect your health information, such as information you may provide on your relationship to epilepsy, any medication you may take and any other medical conditions you may have

We may also collect information that you share with us regarding your ethnicity and/or your sexual orientation, however this information is used anonymously to help us better understand the diversity of our audiences.

Other special category information may be held if you are a patient using our  health services, which are outlined in Section 13 below, or are a member of our E-CURe network in section 15 below.

Your personal information may be used in different ways depending on the purpose for which it was collected. This may include but is not limited to:

  • Furthering our charitable objectives
  • Fundraising, campaigning and marketing
  • Guiding our work as a charity, such as informing us of what topics or issues Young Epilepsy should be campaigning for or providing support on.
  • Maintaining our websites, digital platforms and social media, including monitoring their use, data analysis and statistics
  • Monitor website use to identify visitor location, guard against disruptive use, monitor website traffic, personalise information which is presented to you and/or to provide you with targeted advertisements
  • Providing information in newsletters, appeals and campaigns or other information that we feel may be of interest to you.
  • Send you correspondence and communicate with you, using traditional channels and via social media platforms 
  • Promoting Young Epilepsy’s activities, events, surveys, research and campaigns.
  • Processing any donations or payments and to fulfil online orders, bookings or requests
  • Promoting, organising and delivering an event, conference, meeting or similar activity and inviting you to attend
  • Thanking you, and responding to your requests, questions, comments or complaints
  • Providing training materials, and information resources and guides.
  • Maintaining our organisational records and generating reports on our work and activities
  • Check for updated contact details against third party sources so that we can stay in touch if you move
  • Identify potential supporters, donors, researchers or other partners
  • Ensuring you are on the correct and most age-appropriate mailing list(s) and that we have parental consent where required by law
  • Providing support to you (or your family) as a young person with epilepsy
  • Providing the most effective and efficient care and treatment if you are a patient
  • Processing your job application
  • Inviting you to individual support sessions, or group meetings, social events or our virtual youth club
  • If you agree to share your story, the information we receive about you is used to create content to be published on our website, or on The Channel, in corporate publications, in e-newsletters, on our social media channels or in our fundraising and marketing materials.
  • Meeting our legal and regulatory obligations
  • Establishing, defending or enforcing legal cases

Please see relevant sections below for how we may use your data in special situations such as if you are fundraising or making a donation (Section 12) using our Health Services, for Assessment, Rehabilitation or Diagnostics (Section 13 ) or you are a Job Applicant (Section 14 ) or a member of our E-Cure (research) Network (Section 15 )

If you do not wish your data to be processed for the purposes outlined here, please let us know. You can withdraw your consent at any time by emailing supportercare@youngepilepsy.org.uk

The DPA 2018 and the UK GDPR require us to have a lawful basis for processing your data and these are outlined below

Consent/Explicit consent

Any information you provide to us is processed on the basis that its provision indicates explicit consent for us to process it as outlined above.

Digital marketing communications (email, texts) will only be sent to you if you have opted in to this method of communication. This consent to marketing will apply for approximately three years after your last contact with us unless we hear otherwise from you.

Where we are holding special category data, relating, for example, to your health, we do so because you have provided your explicit consent. This might be obtained via a formal consent form or because you have voluntarily provided us with this information, having been given this privacy notice.

If your personal data is to be used for campaign or publicity purposes, such as with a content piece, vlog or blog then your consent will be sought in a formal consent form, provided by the staff team that you are working with.

You can withdraw your consent (opt out) at any time. Just contact us using the contact details at the end of this notice.

Contract

If we have a contractual relationship with you, for example relating to merchandise or items you may have purchased from us, then we are required to maintain these records.

Historic value

Young Epilepsy and St Piers School and College date back over 125 years, so some records are permanently preserved for their historic value. For example, if your photo is on one of our publications, then that document may be kept permanently.

Legal claims and obligations

Where the processing is necessary to establish, defend or exercise legal claims or where ordered by a court or tribunal.

Legal and regulatory requirements

Young Epilepsy complies with other regulatory and legislative requirements, which may also provide a lawful basis for us using and retaining your data, such as the requirement to keep financial records for seven years and to comply with the Statute of Limitation.

Legitimate Interests

We believe it is in the legitimate interest of both you and Young Epilepsy to use your data as outlined above, for example for posting to you, or phoning you about, marketing, fundraising or other information which we think may be of interest to you.

We also use legitimate interests as our lawful basis for contacting businesses who we think may wish to support Young Epilepsy.

We will not however contact you if you have registered with the Mailing Preference Service (MPS) or Fundraising Preference Service (FPS)

It is in Young Epilepsy’s legitimate interests to process some patient data for administrative and management purposes. This may include allowing staff access to a patient’s data, and using anonymised patient data to measure the ethnic diversity of our patient group.

We believe that it is in Young Epilepsy’s legitimate interests to circulate relevant information as widely as possible and we do not believe that this overrides your interests, rights or freedoms. If you think otherwise, please let us know and we will stop communicating with you on this basis. You can do this at any time by emailing supportercare@youngepilepsy.org.uk

Medical purposes

For example, for preventive medicine, for a working capacity assessment, for medical diagnosis or the provision of health or social care. For example, we may share personal data about a young person’s medical history when making a referral to another medical professional.

Public Interest

Where the processing meets one of the 23 conditions set out in Schedule One, paragraphs 6-28 of the DPA 2018

Public health

Where the processing is necessary for public health monitoring and statistics, or responding to new threats to public health, such as epidemics/pandemics.

Across Young Epilepsy’s health and research offers we apply the Caldicott Principles to health and social care data, so that every flow of patient identifiable information is regularly justified and routinely tested against the principles developed in the Caldicott Report.

  • Principle 1 Justify the purpose(s) for using confidential information
  • Principle 2 Only use it when absolutely necessary
  • Principle 3 Use the minimum that is required
  • Principle 4 Access should be on a strict need-to-know basis
  • Principle 5 Everyone must understand his or her responsibilities
  • Principle 6 Understand and comply with the law
  • Principle 7 The duty to share information can be as important as the duty to protect patient confidentiality
  • Principle 8 Inform patients and service users about how their confidential information is used

As an NHS Business Partner, Young Epilepsy also completes the NHS’ Data Security & Protection Toolkit, which enables organisations to measure and publish their performance against the National Data Guardian's ten Data Security Standards.

All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.

As part of our fundraising and marketing activities we also comply with the standards of the PECR. We will not contact you by email or SMS/text for marketing purposes without your consent and we will not phone you if you have asked us not to, or if you have registered with the Telephone Preference Service (TPS) or Corporate Telephone Preference Service (CTPS) or Fundraising Preference Service (FPS).

If you make a donation, support our campaigns or get involved in our fundraising activities and events, we may capture additional information about you that includes but is not limited to:

  • Any blog, vlog, interviews, photos or videos or other publicity/marketing information that you may provide us with
  • A record of your relationship with Young Epilepsy such as any contact you may have had with us, events you have attended etc.
  • Information we may have generated about you through our research and profiling activities
  • Who your local decision makers are, such as your MP or local councillor
  • Information about your activities on our websites or social media platforms when you use them
  • Your tax payer status if you have made a donation and we are able to claim Gift Aid
  • Any other information that you may provide at meetings, in conversation, by email or in any other form of communication

What this information is used for

  • furthering our charitable objectives through fundraising, campaigning and marketing
  • processing any donations or payments
  • promoting Young Epilepsy’s activities, events, surveys, research and campaigns.
  • promoting, organising and delivering an event, conference, meeting or similar activity and inviting you to attend
  • thanking you, and responding to your requests, questions, comments or complaints
  • providing information in newsletters, appeals and campaigns or other information that we feel may be of interest to you.
  • conducting due diligence checks
  • identifying potential supporters, donors and activists, through data profiling and research
  • responding to any legacy pledges we may receive

If you do not wish your data to be processed for the purposes outlined here, please let us know. You can withdraw your consent at any time by emailing supportercare@youngepilepsy.org.uk

Young Epilepsy may keep the following additional personal data and special categories of personal data relating to patients:

  • Personal details
  • Educational information
  • Medical, therapy, psychology and health information
  • Social care information
  • In-house Video-EEG, Video-Telemetry and OPM-MEG recordings, external imaging data, data analysis and reports and any data or reports shared with us from a referring hospital;
  • Safeguarding information;

Where it is pertinent to the treatment and care we provide to the patient we will also keep some information on parents/carers and on other family members. For instance, the family’s medical history may be kept, where it relates to their child’s health. This is extremely helpful to us, but if you do not want this information kept please tell us immediately.

If you do not wish your data to be processed for the purposes outlined here, please let us know. You can withdraw your consent at any time by emailing dpo@youngepilepsy.org.uk

Anonymised information

We may also use anonymised information about the education/ care/treatment of our Patients for research (subject to Research Ethics approval) or for audit purposes. It may also be used to provide training or for presentation outside of Young Epilepsy. Please be assured though that in these situations the information is fully anonymised so that it is not possible to personally identify your young person.

What this information is used for

In order for us to assess the patient, information on their educational, medical, social and personal history is needed. This information will be used by us to make an assessment of the patient.

The information we keep on patients allows us to provide the most effective and efficient care and treatment for them. By reviewing any previous treatment or strategies used we are able to determine what care and treatment may work best for them.

It is also important that we keep a record of the care and treatment the patient has received. These records range from day journals which record a patient’s daily activities, to seizure charts and medication records. These allow us to monitor patient progress and development.

In our Diagnostic Suite EEG/MEG recordings including video footage, analysis and reports are used in order to undertake a diagnostic assessment.

Source of the data

In order to provide the most effective and efficient care and treatment for your young person it is essential that we have all pertinent information. This may involve obtaining information from the following sources:-

  • The young person/patient
  • Parents, family and friends of the young person/patient
  • The funding authority/authorities
  • The referring authority
  • Former placement providers, such as previous residential placements or schools attended by the young person/patient
  • Local service providers, such as the patient’s/young person’s school, therapists and CAMHS team
  • Health providers including both primary and secondary care
  • The individuals or organisations whose contact details you or your family have provided us with, on our contact form

This will have been obtained from relevant individuals and organisations either as part of the admissions process or during your young person’s time at Young Epilepsy.

Sharing information

In addition to the notice above, we may share patient data as outlined below, and for any other disclosures of information, your consent will be sought on an individual basis.

Routine sharing

Sharing information is beneficial for patients as it helps provide a comprehensive understanding of their needs and development and also allows for all those involved in their care and treatment to be aware of the young person’s development whilst at Young Epilepsy.

We will therefore routinely disclose correspondence, reports and information with the following people/ organisations:-

  • All professionals involved in funding the placement, which may include Local Authorities, Social Care and Health Commissioners
  • The referring authority, for example Maidstone and Tunbridge Wells Hospital or Great Ormond Street Hospital
  • The individuals or organisations whose contact details you have provided us with, on our contact form
  • The young person’s Social Worker
  • Local service providers such as the patient’s/young person’s school, GP surgery, hospital, therapists and, if appropriate, Child & Adolescent Mental Health Services team (CAMHS)
  • Other health professionals involved with the patient’s care including their GP and any local consultants
  • Individuals who have parental authority, such as parents, guardians or carers. (Both parents will be given information unless we have been informed that parental responsibility rests solely with one.)This sharing is for the benefit of your young person as it helps provide a comprehensive understanding of his/her needs and development and also allows for all those involved in their care and treatment to be aware of the young person’s development and assessment whilst using the Assessment Service.

Legal obligations

We are also legally obliged to share certain information and, in such cases, will not seek your consent to do so. For example, all safeguarding concerns must be disclosed to the relevant organisations and individuals, such as the Local Authority, your young person’s Social Worker and possibly the police. Similarly, we will also share certain information with new placement providers, such as a summary chronology of all safeguarding incidents and if your young person is a Looked After Child (LAC) then his/her Care Plan, Personal Education Plan and the minutes of LAC meetings.

Data Processors

We use data processors, this is an organisation responsible for processing personal data on behalf of Young Epilepsy. It does so under strict instruction from us and our contract ensures that the standards required by Young Epilepsy, the DPA 2018 and the UK GDPR are upheld at all times.

Some data processors use anonymised personal data for their specific reasons, such as statistical, quality control, security, research or other purposes. Where this occurs, we can confirm the data is always anonymised and Patients cannot be identified from it.

An example of a data processor is Earwig, a software that allows our Education staff to more effectively produce teaching evidence, assessments and reports and to track individual Patient progress. In order to utilise this software, we have to upload and record Patient information.

The growth in cloud technology means that it is likely that the use of data processors will become more common. If you wish to know who our current data processors are please contact the DPO using the details provided.

Complaints/Reviews

Records may also be accessed by independent reviewers, such as when a complaint or other issue is independently investigated.

Anonymisation

Some of the information we hold on our Patients may be anonymised, so that we can share the results more widely. You and/or the patient/young person will not be identifiable in these records.

Retention of records

Young Epilepsy keeps records for different periods depending upon the nature of the record and its value. We only keep records for as long as is necessary for the purposes of this notice. For people using our Health Services different retention policies apply for:

  • Interdisciplinary and Diagnostic assessments

    Records generated by Young Epilepsy staff will be retained for 20 years after the date the assessment is completed and/or any issues resolved. This is in accordance with the NHS Code of Practice for Health & Social Care records relating to records of a long term illness or an illness that may reoccur. Other records, such as standard/general correspondence and records obtained from others involved with the young person, such as professionals or family members, will be securely destroyed after six years.
  • Rehabilitation records

    Records generated by Young Epilepsy staff will be retained for 20 years after the date the rehabilitation is completed and/or any issues resolved. This is in accordance with the NHS Code of Practice for Health & Social Care records relating to records of a long term illness or an illness that may reoccur. Other records, such as standard/general correspondence and records obtained from others involved with the young person, such as professionals or family members, will be securely destroyed after six years.
  • Preview assessments/visits

    Records generated by Young Epilepsy staff will be retained for six years after the date the assessment is completed. Other records, such as standard/general correspondence and records obtained from others involved with the young person, such as professionals or family members, will be securely destroyed after one year.
  • Potential referrals for assessment

    If we have received records on a young person, who does not end up attending a Preview visit or being assessed, then the records generated by Young Epilepsy staff will be retained for two years after a decision is made not to refer a young person or after contact ceases.
  • Video-EEG, OPM MEG and Video-Telemetry records

    Records generated by Young Epilepsy staff will be retained for 20 years after the date of the Video-EEG/MEG/Video-Telemetry is completed and/or any issues resolved. This is in accordance with the NHS Code of Practice for Health & Social Care records relating to records of a long term illness or an illness that may reoccur. Other records, such as standard/general correspondence and records obtained from others involved with the young person, such as professionals or family members, will be securely destroyed after six years.

A full copy of the Health Service’s retention schedule is available upon request.

  • CCTV

    In the unusual occurrence of a CCTV recording being made (usually only live feed is used), the recordings will be kept for a minimum length of time. For example, where the recording needs to be reviewed by a medical professional as part of the assessment process it will be kept until that review has been completed and any issues, such as seeking other professional advice, are resolved.

Young Epilepsy will process information about prospective employees as part of the normal recruitment and selection process. These records will include but are not limited to:

  • Application forms (both digital and hard copy)
  • Shortlisting and interview documents
  • References
  • Pre-employment health forms
  • Any correspondence between you and Young Epilepsy.

This may include personal data and special categories of personal data, such as information about health.

What this information is used for

The information is primarily used for management and administrative purposes to assess your suitability for a role. Information provided about gender, race or ethnic origin, religious beliefs and disabilities may be used anonymously for monitoring purposes.

If, within 12 months of your initial application, another relevant role should become available then we may use the contact details you have provided to make you aware of this new opportunity.

Source

You will have provided most of this information, but some may also be obtained from other people or organisations, for example former employers or referees.

Sharing information

The recruitment records will be shared internally with the Interviewing Panel, management teams and the HR department.

Anonymisation

Some of the information we hold on our applicants may be anonymised, so that we can share the results more widely. You will not be identifiable in these records.

Lawful basis

Employment, social security and social protection law

This supports Young Epilepsy checking potential employees’ right to work in the UK, ensuring the health safety and welfare of employees, maintaining statutory sick pay and maternity pay and deducting union subscriptions from payroll.

Contract

This data is being processed in the context of a potential employment contract with you.

If you do not wish your data to be processed for the purposes outlined here, please let us know. You can withdraw your consent at any time by emailing dpo@youngepilepsy.org.uk

In addition to the general notice above, as a member of the E-CURe network we may keep additional information about you that includes, but is not limited to:

  • Information you may share with us in E-CURe activities, such as consultations, surveys and workshops. (At the conclusion end of each we may save some of the data in case we need to check it and for future research. This data will be fully anonymised, we will make sure no-one can work out who you are from any reports we write.)
  • Personal information, such as your name, contact details and date of birth;
  • Records of any contact you may have had with our staff teams;
  • Survey responses (if you complete a survey and provided your contact details);
  • Research you may have participated in or research topics and areas you are most interested in
  • Any other information that you may provide in conversation, by email or in other correspondence

The aim of the network is to create a pool of parents of young people with epilepsy who are happy to be contacted and consulted on research ideas, design and management. We will therefore use your contact information to contact you about the E-CURe network, which may involve:-

  • Monthly correspondence from the E-CURe administration (although this may happen more frequently if we need to send a deadline reminder or if there is an urgent need);
  • Invitations to individual members for specific research tasks via the Research Coordinator at Young Epilepsy
  • Invitations and reminders about meetings, appointments and events etc as often as determined by the account managers
  • Formal invitations from the Young Epilepsy research unit members and Epilepsy Research UK paediatric epilepsy grantees, sent at our Research coordinator’s discretion.

If you participate in consultations and surveys the information you provide will be used to identify areas of epilepsy that you are interested in and be used to provide feedback to the research project manager.

If you do not wish your data to be processed for the purposes outlined here, please let us know. You can withdraw your consent at any time by emailing dpo@youngepilepsy.org.uk

This privacy notice applies to young people as well as adults. However, in some respects the law applies differently if you are under 18 years of age, specifically regarding Consent.

Consent

In many instances, we will rely on obtaining consent, either your consent or the consent or your parent or guardian, to use your personal data.

What you can consent to:

  • If you are aged 13 to 17 and you wish to sign up to The Channel or The Hub.
  • If you are aged 16 plus you can consent to participate in a Young Epilepsy event

When the consent of a parent or guardian is needed:

  • You are under 13
  • You are under 16 and wish to:
    • Participate in a Young Epilepsy fundraising event
    • Volunteer with Young Epilepsy
    • Have your photo taken, be videoed, interviewed or provide written material to promote the work of Young Epilepsy
    • Participate in a group meeting or social event

If you provide your consent to us (or we obtain it from your parent or guardian) to use your personal data, you can withdraw consent, at any time in the future, by contacting us using the details set out below or by emailing yds@youngepilepsy.org.uk. Once you reach the age at which we cannot rely on parental/guardian consent, we will instead seek consent directly from you.

We are members of the Fundraising Regulator and follow their Code of Fundraising Practice guidelines.

Young Epilepsy will never sell personal information about supporters to any other organisation.

We will follow appropriate guidance for Direct Marketing as outlined by the Information Commissioners Office.

If you do not wish to be contacted by us for fundraising or marketing purposes you can opt out at any time using the contact details at the end of this notice.

We aim to make sure that the information we send to you is relevant and timely. We also wish to use our resources effectively which we know is important to our supporters. We may use profiling techniques to help us to make appropriate fundraising requests to supporters and importantly, enable us to raise more funds sooner, and more cost-effectively, than we otherwise would.

A profile is primarily based on information that you have given through previous interactions with us. This may include broad information relating to you, such as geographic and socio-economic data (age, postcode etc), in order to have a better understanding of your potential interests and preferences.

This helps us to only contact you with the most relevant communications. If you have made a gift to us, we would bear in mind its value and your giving patterns to help us be as relevant to you as we can. For example if you have made a donation towards our research work we will prioritise sending you further information relating to our scientific research.

Charity Commission rules require us to be assured of the source of funds and any conditions attached to them. As part of this process we'll carry out research using publicly available information and professional resources. If this applies to you, we'll remind you about the due diligence process when you make your donation and with relevant information from our privacy policy at an appropriate time. This is most likely to be at the point when we first make contact with you.

We may compile information about you using publicly available data, for example addresses, listed directorships or typical earnings in a specific commercial sector or profession. This enables us to understand more about you as an individual and your ability to support us.

We compare the original purpose for which it was collected and used against the purpose for which we intend to use it to determine whether the purposes are compatible. In deciding whether the two are compatible, we consider factors such as: 

  • the individual's reasonable expectations  
  • the potential effect on them of the processing
  • what they've been told.

For activities such as segmenting databases by reference to postcodes or other information we already have, this represents a relatively low level of intrusion into privacy and in these cases, the legitimate interest condition may be a valid basis for processing.  

If you do not wish your data to be processed for the purposes outlined here, please let us know. You can withdraw your consent at any time by emailing supportercare@youngepilepsy.org.uk

Sharing information

Young Epilepsy (and St Piers School and College) does not routinely share information with third parties, except as outlined below. Where we may wish to share the information more widely, we will either seek your consent to do so or anonymise the data, so that you are not identifiable.

Complaints/Reviews

Records may also be accessed by independent reviewers, such as when a complaint or other issue is independently investigated.

Data Processors

We use data processors, this is an organisation responsible for processing personal data on behalf of Young Epilepsy (and St Piers School and College). It does so under strict instruction from us and our contract ensures that the standards required by Young Epilepsy 9and St Piers School and College), the DPA 2018 and the UK GDPR are upheld at all times.

Examples of data processor are the companies that provides the software that allows us to manage our relationships with donors and supporters, that manage our financial merchandise sales and donations and that runs any platform on which Young Epilepsy (and St Piers School and College) internet pages/sites may be located. Whilst these may be overseas our contract ensures UK standards are applied.

The growth in cloud technology means that it is likely that the use of data processors will become more common. If you wish to know who our current data processors are please contact us using the contact details provided earlier.

Inspections

Young Epilepsy (and St Piers School and College) is subject to a number of regulatory standards, such as the Care Quality Commission, Information Commissioner’s Office, Fundraising Regulator etc. and may therefore allow its records to be inspected as part of that process, to ensure that Young Epilepsy (and St Piers School and College) is meeting the necessary standards. Inspectors will be given access to records but only provided with copies in exceptional circumstances, for example if a safeguarding concern is identified.

Legal obligation

We are legally obliged to share certain information and, in such cases, will not seek your consent to do so. For example, if safeguarding concerns were raised these must be disclosed to the relevant organisations and individuals.

Marketing and publicity material

If you provide us with information such as your story, photograph, blogs, vlogs or other publicity material, then this may be used :-

  • In our corporate material such as reports and fundraising materials;
  • On our social media, such Facebook, Twitter, Flikr and Instagram;
  • On Young Epilepsy websites/ platforms, such as The Channel, YouTube etc.;
  • On the radio, TV and in the newspapers or magazines, who may put it on their own websites.

These uses will mean that your information may be viewed by many people. If it is put on websites, webpages or social media then anyone with access to the internet will be able to access it. On occasion, we may only use your first name in such materials, but it may still be possible to identify you, for example if there is other information about you on our website, for example if you are a Young Supporter or Rep.

Wealth Screening

We may carry out wealth screening, a process which uses trusted third-party partners to automate some of this work. This helps us understand our members, donors and potential donors, including gathering information from publicly available resources to give an insight into your philanthropic interests and ability to support us.

If you would rather your personal data was not used for the purposes of wealth screening, you can contact our Supporter Care team via email at supportercare@youngepilepsy.org.uk

Cookie and pixel tags

Where you have consented to the use of cookies and/or pixel tags, the data collected may be shared with the originator of the cookie/pixel tag. In most cases this data will be hashed and so not identifiable.

Young Epilepsy keeps personal data in computerised, digital or hard copy filing systems. This can include the software that allows us to manage our relationships with donors and supporters, the platforms that host sites for us and paper records maintained by our teams. The information is held in a confidential manner with limited access, in accordance with the DPA 2018 and the UK GDPR.

We are committed to ensuring that personal data is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect.

As an NHS Business Partner, Young Epilepsy also completes the NHS’ Data Security & Protection Toolkit, which enables organisations to measure and publish their performance against the National Data Guardian's ten Data Security Standards.

All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.

All online transactions take place via a secure server.

Payments or donations via forms on our websites are processed by Beacon using Stripe, Paypal and Go Cardless.

Payments for goods on our online shop are processed by Shopify.

Where donors provide card details manually on paper, individuals enter those details on Stripe and securely dispose of the  paper form using secure waste/shredding services.

Some of our premises have Closed Circuit Television (CCTV) and you may be recorded when you visit them. CCTV is used to provide security and to protect our staff, students, patients and visitors. A comprehensive CCTV procedure is available on our St Piers website here:

https://www.stpiers.org.uk/sites/default/files/2022-09/CCTVProcedure2022.pdf

We have a small number of CCTV cameras on campus, for security purposes, such as by Facilities area where our minibuses are kept and, a live feed in our Assessment, & Rehabilitation Unit as an unobtrusive way to monitor Patients being assessed. Where CCTV may be used in a Patient’s bedroom, we will seek consent for this usage.   

All CCTV usage is approved by the Executive Lead, in accordance with the Code of Practice from the Information Commissioner’s Office. Where there is CCTV there will be signage indicating its use. CCTV recordings are kept for seven days, unless an incident has been highlighted, in which case the CCTV will be kept until the incident is resolved.

How long we retain records for is determined by the purpose for which we hold them as set out in this policy. This includes complying with our regulatory and statutory obligations. For example, information relating to donations, gift aid and other financial matters will be retained for at least seven years, as required by HMRC.

Patient records are subject to individual retention policies as outlined in the above Section 13 titled ‘Patients and Families using our Health Services (Assessment, Rehabilitation and Diagnostics).

Recruitment records on prospective employees are held for a period of 12 months. If you secure a job, the recruitment records will pass to the HR Department and will be held under the conditions detailed in the HR retention schedule and ‘Working for or on behalf of Young Epilepsy’ privacy notice as laid out in the Staff Handbook.

Generally, our policy is not to keep records longer than seven years after last contact with you. If you have requested us to not to send you any marketing materials then we will add your name and contact details to a suppression list, which will be retained for a longer time to ensure we do not inadvertently contact you.

We never store payment card details after a transaction has been completed

If your details have been used for promotional purposes then these materials will be in use for much longer. For example, once something is on the internet it is very difficult to completely remove it.

Information provided to our websites and platforms, such as comments you may have made or files you have uploaded, will be kept on the site/ platform for at least seven years. This is because it is important to evidence past as well as current campaigns.

In exceptional circumstances some records may be retained for longer than the usual retention period where these form part of Young Epilepsy’s historic archive.  

Personal information that we no longer need is either securely destroyed/deleted and/or anonymised so that you can no longer be identified from it.

Details of all our retention policies are available upon request.

Young Epilepsy and St Piers School and College use social media to promote our work. We have a number of accounts including on Facebook, Twitter, LinkedIn, Instagram and TikTok. We also collect donations through other channels such as Facebook Fundraisers and Facebook Donate. Where members of the public engage with our posts or publish content relevant to our work, we may like the posts, follow them, reply or write to them.

If you are a social media user, we will use social media tools as part of our relationship with you, such as Facebook Custom and Lookalike audiences. Through using these tools, we will provide some of your data to the social media platform to allow them to identify your social media profile. You will then be shown advertising relating to Young Epilepsy which we think you will be interested in seeing. The social media platform will also use your profile to identify those with similar characteristics to you who we think may also be interested in finding out more about the work we do. These individuals will then be shown advertising about Young Epilepsy.

If you do not wish for us to customise our social media communications in this way, you can always tell us not to share your information with third party platforms by contacting us at supportercare@youngepilepsy.org.uk. You can also change your settings on social media and apps to stop this kind of targeting from specific or from all advertisers.

We also use matching techniques on social media platforms like Facebook. This involves pixels on our website, and you can find more information in our Cookie notice. A pixel is a piece of code on our website that can help us better understand the effectiveness of our advertising and the actions that people take on our site, such as visiting a page or adding an item to their basket. We'll be able to see when people took an action after seeing one of our ads on social media platforms, which can help us with retargeting.

None of the data tracked by the pixel contains personally identifiable information. The pixel will track when a user who has clicked on an advert and then subsequently viewed a page on our website. It will also measure how many pages a user has viewed after clicking on an advert.

You are able to opt out of the pixel via our Cookie notice.

We may update this privacy notice from time-to-time by posting a new version on our website. You should occasionally check these pages to ensure you are aware of the changes. For more information about how the privacy notice is changed please contact us using the details below.

Last updated: 16 December 2022

Please contact us if you:

  • Have any queries or concerns about the use of your personal data, as outlined in this notice
  • Wish to exercise one of your Data Protection rights
  • Need to correct or update any information we hold about you
  • Wish us to stop using your information or to change your contact preferences (please note that these changes may take 30 days to take effect)

Contact may be made as follows:

Supporter Engagement team:      supportercare@youngepilepsy.org.uk

Data Protection Officer:                dpo@youngepilepsy.org.uk

Both of the above can also be contacted through the main Young Epilepsy switchboard on 01342 832243.

Please note that should you be unhappy about the way we implement data protection you have the right to lodge a complaint with the Information Commissioner’s Office https://ico.org.uk/

If you have a complaint about fundraising please contact us on 01342 832243 or by email to supportercare@youngepilepsy.org.uk. If we cannot resolve your fundraising complaint, you can also submit your complaint to the Fundraising Regulator here: https://www.fundraisingregulator.org.uk/complaints/make-complaint