Privacy policy

If you need a simpler version, you can download our Easy Read Privacy Policy (PDF) — designed to be clear and easy to understand.

1. Policy Statement

Headway – the brain injury association (Headway UK) is committed to protecting your personal information and being transparent about what information we hold. This includes, but is not limited to, personal data held on workers, service users and stakeholders.

This policy explains when and why we collect personal information about people, whether that be via our website, phone, email, social media, other correspondence or via third parties or publicly available information, in addition to how we use it, the conditions under which we may disclose it to others and how we keep it secure.

2. Definitions

WORKERS: This includes all employees of Headway UK including apprentices, any casual workers and agency workers engaged by Headway UK.

SERVICE USERS: includes individuals that use Headway UK services, such as people directly impacted by brain injury, including survivors, their family members and carers; professionals accessing Headway support via the website, publications or helpline; or corporate and individual members of Headway UK.

STAKEHOLDER: includes volunteers, fundraisers, professionals, contractors, corporate partners, and others that come into contact with Headway UK.

3. Principles

We are committed to maintaining transparency regarding the collection, use, and processing of personal information. Clear and understandable language will be used to communicate our privacy practices.

We will only collect and process personal information for lawful purposes, ensuring fairness and limiting the use of data to the purposes for which it was originally collected.

We will only collect the minimum amount of personal information necessary for the specified purpose and will not retain it for longer than required.

We will take reasonable steps to ensure the accuracy of the personal information we collect, and individuals have the right to update or correct their information.

The security of personal information is of utmost importance. We implement appropriate technical and organisational measures to protect against unauthorised access, disclosure, alteration, and destruction.

4. Scope and Limitations

The policy will be applied in accordance with relevant UK legislation. This policy applies to the collection, processing and storage of personal data obtained through out website, products, services and any other interactions with us.

This policy does not apply to third party websites, services or applications that may be accessed through links on our platforms. We encourage all users to review the privacy policies of those third parties.

5. Responsibilities

The Data Protection Officer (DPO) is responsible for overseeing the implementation of this privacy policy and ensuring compliance with data protection laws.

Workers should make themselves aware of the policy and engage in any relevant training. Workers should adhere to the policy when processing data of any nature.

They should also report any potential breaches to the DPO.

Managers should make sure that workers within their area have access to the policy and procedure. When a serious matter is raised with them that may constitute a protected disclosure, they should follow the procedure or seek advice from HR.

The data controllers are responsible for the processing of personal information.

6. The types of personal information we collect

a. Basic Information

We will usually collect basic information about you, including your name, details about your brain injury (if appropriate), postal address, telephone number, email address and your bank details if you are supporting us financially or receiving support from our Emergency Fund. Employee data, such as emergency contact details or your personal email address, may also be collected.

If you make a donation online or purchase a product from us, your card information is not held by us. It is collected by our third-party payment processors which specialise in the secure online capture and processing of credit/debit card transactions.

Most of the time, we collect this data from you directly or, if you are a brain injury survivor, from a family member or carer. Sometimes this is in person; other times, it is over the telephone, in writing or through an email. Occasionally we obtain information, such as your telephone number or other contact details, from external sources (only where you have given permission for such information to be shared) or publicly available information. We also collect IP addresses and information regarding what web pages are accessed and when.

b. Getting to know you better

We also collect information about you that helps us to get to know you better and support you more effectively. This may include:

  • Information you tell us through our surveys.
  • Records of donations you have made towards fundraising appeals.
  • Your preferences of how you would like us to contact you.
  • Ways in which you have helped us through volunteering your time.
  • Records of events you have attended, or campaigns or activities that you have been involved in.

Sometimes we will collect other information about you such as your date of birth and gender, or your photograph. When we do so, we will be very clear as to why we are collecting such information, and we will only do so with your specific consent and permission. Once again, most of the time we collect this data from you directly.

We will also collect information on those who use our direct services. This may include information specific to your health, including any medication or support needs you may have.

7. Legal basis for collecting personal data

There are different lawful reasons for processing personal data and special categories of personal data.

Headway UK will only process personal information and special categories of personal data in line with the lawful reasons for doing so.

The six lawful reasons for processing personal data are:

  • Consent – You have given consent for the processing of your personal data.
  • Contract – The charity has a contract and we need to process your personal data to comply with our obligations under the contract; or we haven’t yet got a contract but have been asked to do something as a first step and we need to process the personal data to do what they ask.
  • Legal obligation – The charity is obliged to process personal data to comply with a legal obligation.
  • Vital interests – The processing of personal data is necessary to protect your vital interests.
  • Public task – The processing of personal data is necessary under public functions and powers set out in law; or the charity needs to perform a specific task in the public interest.
  • Legitimate interests – The processing of personal data is in the legitimate interests of the charity, where we use your data in ways that people would reasonably expect and that have a minimal privacy impact.

The lawful basis for processing special categories of data are:

  • You have given explicit consent to the processing of personal data for one or more specified purposes, except where limited by law.
  • Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the charity or a person under employment, social security and social protection law or a collective agreement under law.
  • Processing is necessary to protect your vital interests or where you are physically or legally incapable of giving consent.
  • Processing relates to personal data which have been made public by a person.
  • Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
  • Processing is necessary for reasons of substantial public interest.

8. Why we collect personal data

The personal data we collect can help the charity in a number of ways. In other words, doing so furthers the ‘legitimate interests’ of the charity and the pursuit of our aims and objectives. This includes but is not limited to:

  • Providing more effective assistance to repeat callers to our helpline to prevent brain injury survivors having to explain their support needs each time they call.
  • Signposting people to more appropriate support services depending on their needs.
  • Shaping our services, for example through the production of new publications.
  • Better understanding our supporters to enable us to provide targeted and appropriate material.

When we legitimately process your personal information in this way, we also consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws. We will not use your personal information for activities where our interests are overridden by the impact on you, for example, where collection and use of your information would be excessively intrusive (unless, for instance, we are otherwise required or permitted to by law).

We may also use anonymised or unidentifiable information about you and your interactions with the charity to demonstrate our impact, need for support and gaps in service provision.

This data does not identify you, but will be shared with the public, funders, politicians, service providers and any interested parties. We have a legitimate organisational interest to use information in this way and there is no overriding prejudice to you by using your information for this purpose.

9. How we collect personal data

You give it to us directly: You may give us your information in order to sign up for one of our events, volunteer, make a donation, purchase our products, contact our helpline, apply for a Brain Injury Identity Card or Emergency Fund grant, request support, apply for a job or communicate with us.

Sometimes when you support us, your information is collected or processed by a third-party organisation working for us, but we are responsible for your data at all times.

You give it to us indirectly: Your information may be shared with us by independent event organisers, for example the London Marathon or fundraising sites like JustGiving or Virgin Money Giving. These independent third parties will only do so when you have indicated that you wish to support us and with your consent. You should check their privacy policy when you provide your information to understand
fully how they will process your data.

When you give permission to other organisations to share or it is available publicly: We may combine information you provide with information available from external sources in order to gain a better understanding of our supporters, to improve our fundraising methods, products and services.

The information we get from other organisations may depend on your privacy settings or the responses you give, so you should regularly check them. This information comes from the following sources:

  • Third party organisations: You may have provided permission for a company or other organisation to share your data with third parties, including charities. This could be when you buy a product or service, register for an online competition or sign up with a comparison site.
  • Social media: Depending on your settings or the privacy policies for social media and messaging services like Facebook, WhatsApp or Twitter, you might give us permission to access information from those accounts or services.
  • Information publicly available: This may include information found in places such as Companies House, the Charity Commission, LinkedIn as well as information that has been published in newspapers.

10. Retention periods

We will hold your data for as long as is required by any legislation/legal requirements such as fulfilling a contract or accountancy requirements. Where there is no legally defined time we will assess and define the length of time based on business requirements balanced with personal interests, for example the need to retain information in order to provide support to you or acknowledge our donor’s support.

Further information can be found in our Data Retention Policy.

11. Your data protection rights

Under data protection law, you have rights including:

  • Your right of access: You have the right to ask us for copies of your personal information.
  • Your right to rectification: You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  • Your right to erasure: You have the right to ask us to erase your personal information in certain circumstances.
  • Your right to restriction of processing: You have the right to ask us to restrict the processing of your personal information in certain circumstances.
  • Your right to object to processing: You have the the right to object to the processing of your personal information in certain circumstances.
  • Your right to data portability: You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you. Please contact us at enquiries@headway.org.uk if you wish to make a request.

12. How to contact us

If you have any questions regarding this policy or Headway UK’s approach to data you can contact us at

Headway – the brain injury association
Bradbury House
190 Bagnall Road
Old Basford
Nottingham
NG6 8SF
Telephone : 0115 924 0800
Email: enquiries@headway.org.uk

13. How to complain

If you believe your data is being handled in a way that breaches data protection legislation, you disagree with how we are processing your data or you have a complaint please contact our Data Protection on enquiries@headway.org.uk.

You also have the right to complain to the Information Commissioner’s Office (ICO). For further details you can visit their website at ico.org.uk

14. Implementation Arrangements

All new members of staff are made aware of the policy and requirements during the staff induction process. Updated and amended procedures are disseminated in accordance with the policy review dates.

Training and updating of information is carried out with relevant staff to increase awareness of the requirements.

15. Monitoring and Review

This policy will be reviewed every three years or when there are relevant changes to laws and regulations.