Privacy policy

Click on this link to open an 'easy read' version of the privacy policy

1. Who we are and Policy statement

Headway – the brain injury association (Headway UK), registered charity (charity number 1025852, registered address Bradbury House, 190 Bagnall Road, Old Basford, Nottingham, NG6 8SF) is committed to protecting your personal information and being transparent about what information we hold. This includes, but is not limited to, personal data held on workers, service users and stakeholders. Your personal data is defined as any information that can directly or indirectly identify you. For the purposes of UK Data Protection Law, we are registered with the ICO under registration
number Z8639619.

This policy explains when and why we collect personal information about people (whether that be via our website, phone, email, social media, other correspondence or via third parties or publicly available information) in addition to how we use it, the conditions under which we may disclose it to others, how we keep it secure and information regarding data subjects’ rights and how to exercise them.

2. Definitions

WORKERS

This includes all employees of Headway UK including apprentices, any casual workers and agency workers engaged by Headway UK.

SERVICE USERS

This includes individuals that use Headway UK services, such as people directly impacted by brain injury, including survivors, their family members and carers; professionals accessing Headway support via the website, publications or helpline; or corporate and individual members of Headway UK.

STAKEHOLDER

This includes volunteers, fundraisers, professionals, contractors, corporate partners, and others that come into contact with Headway UK. 

3. Principles

We are committed to maintaining transparency regarding the collection, use, and processing of personal information. Clear and understandable language will be used to communicate our privacy practices.

We will only collect and process personal information for lawful purposes, ensuring fairness and limiting the use of data to the purposes for which it was originally collected.

We will only collect the minimum amount of personal information necessary for the specified purpose and will not retain it for longer than required.

We will take reasonable steps to ensure the accuracy of the personal information we collect, and individuals have the right to update or correct their information.

The security of personal information is of utmost importance. We implement appropriate technical and organisational measures to protect against unauthorised access, disclosure, alteration, and destruction.

4. Scope and Limitations

The policy will be applied in accordance with relevant UK legislation.

This policy applies to the collection, processing and storage of personal data obtained through our website, products, services and any other interactions with us.

This policy does not apply to third party websites, services or applications that may be accessed through links on our platforms. We encourage all users to review the privacy policies of those third parties.

5. Responsibilities

The Data Protection Officer (DPO) and internal data protection lead is responsible for overseeing the implementation of this privacy policy and ensuring compliance with data protection laws.

Workers should make themselves aware of the policy and engage in any relevant training. Workers should adhere to the policy when processing data of any nature. 

They should also report any potential breaches and subject access requests to the DPO and internal data protection lead.

Managers should make sure that workers within their area have access to the policy and procedure. When a serious matter is raised with them that may constitute a protected disclosure, they should follow the procedure or seek advice from HR.

6. The types of personal information we collect

Basic information

We will usually collect basic information about you, including your name, postal address, telephone number, email address and your bank details if you are supporting us financially or receiving support from our Emergency Fund. Employee data, such as emergency contact details or your personal email address, may also be collected.

If you make a donation online or purchase a product from us, your card information is not held by us. It is collected by our third-party payment processors which specialise in the secure online capture and processing of credit/debit card transactions.

b. Getting to know you better

We also collect information about you that helps us to get to know you better and support you more effectively. This may include:

• Information you tell us through our surveys.
• Records of donations you have made towards fundraising appeals.
• Your preferences of how you would like us to contact you.
• Ways in which you have helped us through volunteering your time.
• Records of events you have attended, or campaigns or activities that you have been involved in.

Sometimes we will collect other information about you such as your date of birth and gender, or your photograph. When we do so, we will be very clear as to why we are collecting such information, and we will only do so with your specific consent and permission. Once again, most of the time we collect this data from you directly.

We will also collect information on those who use our direct services. This may include information specific to your health, including details about your brain injury (if appropriate), any medication or support needs you may have.

7. Legal basis for collecting personal data

There are different lawful reasons for processing personal data and special categories of personal data. Headway UK will only process personal information and special categories of personal data in line with the lawful reasons for doing so.

The six lawful reasons for processing personal data are:
• Consent – You have given consent for the processing of your personal data.
• Contract – The charity has a contract and we need to process your personal data to comply with our obligations under the contract; or we haven’t yet got a contract but have been asked to do something as a first step and we need to process the personal data to do what they ask.
• Legal obligation – The charity is obliged to process personal data to comply with a legal obligation.
• Vital interests – The processing of personal data is necessary to protect your vital interests.
• Public task – The processing of personal data is necessary under public functions and powers set out in law; or the charity needs to perform a specific task in the public interest.
• Legitimate interests – The processing of personal data is in the legitimate interests of the charity, where we use your data in ways that people would reasonably expect and that have a minimal privacy impact.

To process special categories of data, we rely on additional conditions of the UK GDPR and Data Protection Act 2018.

Workers

We mainly use ‘contractual obligation’ as a lawful basis for processing personal data for workers.

We may also use ‘legal obligation’ for processing certain data, for example when sharing data with HMRC or enrolling employees onto a pension scheme.

We mainly use ‘legitimate interest’ for workers supervision and appraisal records, using workers images on our website or in promotional materials.

Service Users

We rely on ‘legitimate interest’ to process the majority of personal data of service users. Where this processing is of special categories of data, we rely on the support of additional conditions of the data protection legislation. We keep a Record of Processing Activities which further outlines the legal bases used to process all data.

When we legitimately process your personal information, we also consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws. We will not use your personal information for activities where our interests are overridden by the impact on you, for example, where collection and use of your information would be excessively intrusive (unless, for instance, we are otherwise required or permitted to by law).

We rely on legitimate interest to receive your personal data from independent Headway charities that you are a part of, if you take part in the Outcomes Star project to track the effectiveness of services.

To comply with our duty of care and safeguarding, we may need to pass some information raising safeguarding concerns with relevant authorities. In such circumstances, we apply ‘vital interest’ and ‘legitimate interest’ as our lawful basis. Data subjects’ rights and other UK GDPR provisions may be restricted when concerning personal data processed in these circumstances. Exceptions and exemptions are applied on a case-by-case basis.

Supporters

We rely on our legitimate interest to process supporter/donor data. If you agree that we can claim Gift Aid on your donations we have a ‘legal obligation’ to keep a record of the claim and your Gift Aid declaration. We rely on your consent to send you marketing electronically, we may use our legitimate interest to send you marketing via post.

8. Why we collect personal data

Workers

We are required to use your personal data for various legal and practical purposes for the administration of your contract of employment or agreement, without which we would be unable to employ you. Holding your personal data enables us to meet various administrative tasks, legal obligation or contractual/agreement obligation.

Service users

We may use your personal information to:
● Carry out a thorough assessment of your needs
● Provide an appropriate service which best meets your needs
● Monitor and manage risk
● Protect yourself and the general public
● Safeguard you
● To track and evidence the effectiveness of the Headway network of independent charities and volunteer led branches.

The personal data we collect can also help the charity in a number of ways. In other words, doing so furthers the ‘legitimate interests’ of the charity and the pursuit of our aims and objectives. This includes but is not limited to:

• Providing more effective assistance to repeat callers to our helpline to prevent brain injury survivors having to explain their support needs each time they call.
• Signposting people to more appropriate support services depending on their needs.
• Shaping our services, for example through the production of new publications.
• Sharing your stories with your consent to raise awareness of brain injury.
• Better understanding our supporters to enable us to provide targeted and appropriate material.

We may also use anonymised or unidentifiable information about you and your interactions with the charity to demonstrate our impact, need for support and gaps in service provision. This data does not identify you, but will be shared with the public, funders, politicians, service providers and any interested parties. We have a legitimate organisational interest to use information in this way and there is no overriding prejudice to you by using your information for this purpose.

Supporters

Collecting your information allows us to process any donations, deal with any potential enquiries and provide you with the correct information to engage with Headway. If you attend any of our events, we process your data in order to administer your sign up, process payments and keep a log of event attendees.

We may use your information to contact you about further opportunities to support us if we have your consent or using our legitimate interests if these opportunities are shared via post.

9. How we collect personal data

You give it to us directly

Most of the time, we collect data from you directly or, if you are a brain injury survivor, from a family member or carer. Sometimes this is in person, other times it is over the telephone, in writing, via our website forms, via applications or through an email. We also collect IP addresses and information regarding what web pages are accessed and when.

You may give us your information in order to sign up for one of our events, volunteer, make a donation, purchase our products, share your story, contact our helpline, apply for a Brain Injury Identity Card or Emergency Fund grant, request support, apply for a job or communicate with us.

Sometimes when you support us, your information is collected or processed by a third-party organisation working for us, but we are responsible for your data at all times.

You give it to us indirectly

Your information may also be shared with us by independent event organisers, for example the London Marathon or fundraising sites like JustGiving or Virgin Money Giving. These independent third parties will only do so when you have indicated that you wish to support us and with your consent. You should check their privacy policy when you provide your information to understand fully how they will process your data.

When you give permission to other organisations to share or it is available publicly

If you receive support from independent Headway charities and take part in the Outcomes Star initiative (to track service effectiveness), we gain your permission to receive any personal data that you share as part of the project directly from the independent Headway charity.

Occasionally we obtain information, such as your telephone number or other contact details, from external sources (only where you have given permission for such information to be shared) or publicly available information. We may combine information you provide with information available from external sources in order to gain a better understanding of our supporters, to improve our fundraising methods, products and services.

The information we get from other organisations may depend on your privacy settings or the responses you give, so you should regularly check them. This information comes from the following sources

• Third party organisations: You may have provided permission for a company or other organisation to share your data with third parties, including charities. This could be when you buy a product or service, register for an online competition or sign up with a comparison site.
• Social media: Depending on your settings or the privacy policies for social media and messaging services like Facebook, WhatsApp or Twitter, you might give us permission to access information from those accounts or services.
• Information publicly available: This may include information found in places such as Companies House, the Charity Commission, LinkedIn as well as information that has been published in newspapers.

10. Sharing your data and confidentiality 

Workers

Data in relation to your salary is shared with HRMC as part of our legal obligation. Data may be shared with third parties for the following reasons: for the administration of payroll, pension, HR functions, administering other employee benefits. When sharing information with third parties, we have data sharing, processor agreements or contracts in place to ensure data is not compromised. Third parties must implement appropriate technical and organisational measures to ensure the security of your data.

Service users

We may use legitimate interest, legal obligation or your consent to share your personal data with delivery partners in order to provide you with a quality service which best suits your needs. Other organisations may act as an individual data controller of your personal information and you should read their privacy notice in addition to this one, or third parties can act as data processors and for that reason they will process your data on our behalf. In both of these instances, we make sure the organisations that we share data with have signed contracts so ensure they are bound to take care of your data in the same way we do.

To comply with our duty of care and safeguarding, we may need to pass some information raising safeguarding concerns with relevant authorities.

We will never sell your details to any third party.

11. Retention periods

We will hold your data for as long as is required by any legislation/legal requirements such as fulfilling a contract or accountancy requirements. Where there is no legally defined time we will assess and define the length of time based on business requirements balanced with personal interests, for example the need to retain information in order to provide support to you or acknowledge our donor’s support. Get in touch if you want to know more about our retention periods.

12. Your data protection rights

Under data protection law, you have certain rights regarding the personal data that we hold about you, including:

• Right to be informed: You have the right to be informed as to how we use your data and under what lawful basis we carry out any processing. This Privacy Notice sets this information out however if you would like further information, please get in touch.
• Right of access: You have the right to ask us for copies of your personal information, along with the information on what personal information we use, why we use it, who we share it with, how long we keep it for and whenever it has been used for automated decision making.
• Right to rectification/accuracy: You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
• Right to erasure/right to be forgotten: You have the right to ask us to erase some or all of your personal information in certain circumstances. Sometimes (where we have a legal obligation) we cannot erase your personal data.
• Right to restriction of processing: You have the right to ask us to restrict the processing of some or all of your personal information if there is a disagreement about its accuracy, or we are not lawfully allowed to use it.
• Right to object to processing: You have the the right to object to the processing of your personal information in certain circumstances (such as where it is based on legitimate interests or for direct marketing).
• Right to data portability: You have the right to ask that we transfer some of the personal information you gave us to another organisation, or to you, in certain circumstances.
• Right to withdraw consent: Where you have provided consent to our use of your data, you also have the right to withdraw that consent at any time. This means that we will stop processing your data.
• Automated decision making: Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. You have the right to question the outcome of automated decisions that may create legal effects or create a similar significant impact on you. We currently use software to improve our donor targeting – get in touch if you’d like to know more.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you. Please contact us at any of the methods at the end of this notice if you wish to exercise any of these rights.

13. Fundraising and Marketing Communications

Your contact details may be used to provide you with information about our services or our fundraising opportunities via:

Post

We may use your Consent or our Legitimate Interest to send you fundraising or marketing communications by post. If you prefer not to hear from us in this way, please get in touch by using any of the contact details listed at the bottom of this notice.

Email, text or other electronic message

We will only send you fundraising and marketing communications by email, text or other electronic message if you have been involved in a commercial transaction with us. You may opt-out of our fundraising and marketing communications at any time by clicking the unsubscribe link at the end of our e-mail communication. Alternatively, you can let us know by using any of the contact details listed at the bottom of this notice.

14. How to contact us

If you have any questions regarding this Privacy Notice and our use of your personal data, or would like to exercise any of your rights, please get in touch via the following information:

Email us: enquiries@headway.org.uk

Telephone us: 0115 924 0800

Write to us: Headway – the brain injury association, Bradbury House, 190 Bagnall Road, Old Basford, Nottingham, NG6 8SF

Data Protection Officer: Abbie Beckett, Hope & May – abbie.beckett@hope-may.com

15. How to complain

If you believe your data is being handled in a way that breaches data protection legislation, you disagree with how we are processing your data or you have a complaint please contact us using one of the above methods.

You also have the right to complain to the Information Commissioner’s Office (ICO) which regulates the use of information in the UK. They can be contacted by:

Telephone 0303 123 1113

In writing: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Or by going online to www.ico.org.uk/concerns

16. Implementation Arrangements

All new members of staff are made aware of the policy and requirements during the staff induction process. Updated and amended procedures are disseminated in accordance with the policy review dates.

Training and updating of information is carried out with relevant staff to increase awareness of the requirements.

17. Monitoring and Review

This policy will be reviewed every three years or when there are relevant changes to laws and regulations.

Click on this link to open Headway's privacy policy as a PDF document