St John Ambulance Cymru is committed to protecting your privacy and takes this responsibility very seriously. We therefore take care to safeguard it. This notice outlines what data we collect, how we may use it, how we protect your data and your rights, and how you can exercise those rights.
References to St John, 'we' or 'us' are to St John Ambulance Cymru, registered charity no: 250523 (Wales) and registered company no: 5071073.
We regularly check this notice to ensure we provide you with the most up-to-date information regarding our data processing activities. We strongly advise you to read this page from time to time to ensure you are happy with any changes that might be made.
If you have any questions about this policy, please contact us
St John Ambulance Cymru
Telephone: 0300 2011 999
1. Why we collect your data
We collect personal data for many reasons, including to provide you with services, communicate with you and send you information you have requested, and administer campaigns and donations. Depending on how you interact with us, we may process data for the following reasons:
- to administer services St John is providing to you
- to process personal details required for the administration of your booked training course
- to process a purchase of St John products, such as first aid kits and other supplies
- to record and contact you regarding payments you make to St John
- to communicate with you regarding St John’s work, fundraising, and campaigning activities
- to process donations and administer Gift Aid information for any donation you make to St John
- to provide you with information about and to administer events, including mass participation events, concerts and fundraising events
- to administer and send you information about our legacy programme
- for our own internal administrative purposes, and to keep a record of your relationship with us
- to manage your communication preferences
- to process job applications or volunteer placements
- to conduct surveys, research and gather feedback
- to obtain information to improve St John Ambulance Cymru’s services and user experiences
- to carry out research to find out more information about our supporters’ and prospective supporters’ backgrounds and interests
- to comply with applicable laws and regulations, and requests from statutory agencies
2. Information we collect
We collect the following personal information:
- your full name
- date of birth
- contact details – including your postal address, telephone number(s), and email address
- your bank details
- records of your correspondence and engagement with us
- donation history and Gift Aid details
- information you may enter on the St John website
- photographs, video or audio recordings
- biographical information
- other information you share with us
This information may be collected via:
- any paper forms you complete
- telephone conversations or face-to-face interactions
- digital forms completed via our website, or online surveys
- third-party companies and websites such as Just Giving, Wesser
- publicly available sources
- communication via social media
We sometimes also collect sensitive, personal data about individuals. This includes information about health, religion, sexuality, ethnicity, political and philosophical beliefs, and criminal records. We will normally only record this data where we have your explicit consent, unless we are permitted to do so in other circumstances under data protection law. For example, we may make a record that a person is in a vulnerable circumstance to comply with requirements under charity law and the Code of Fundraising Practice, to ensure that we do not send fundraising communications to them.
3. Using your personal data
We use customer relationship management systems (CRM) to support our service. This means that we can keep the information you provide us, so we are able to see the history and relevant details of your case(s). This ensures that we provide you with appropriate and accurate information. We take information security very seriously. No one is allowed access to our system or files unless they need this to provide the service to you, or one of the other purpose discussed in this notice.
When you call us, your call may be recorded. This could be used for training purposes, quality assurance, complaint investigations, and to make further improvements to the service we provide to you. You are informed of the recording before any data collection occurs.
We would love to keep you up to date with our fundraising, marketing and campaign activity.
We use a range of marketing activities and channels to contact our supporters – including our website, face-to-face fundraising, direct mail, email, and telephone.
We will obtain your consent to contact you by email, phone and post for marketing purposes. We will also obtain consent from all new supporters (who sign up after 25 May 2018) to make marketing calls.
We will contact existing supporters by phone, on the basis of it being within our legitimate interests to do so, unless you opt out. See section 10 (‘Our legal basis for processing data’) for more information about our use of legitimate interests, unless they are registered with the Telephone Preference Service or have opted out of receiving marketing communications from St John.
We send the following marketing materials:
- Updates about St John’s work – including newsletters, magazines, and other publications informing you about our work
- Campaigns – information about our campaigning activities throughout Wales, including how you can support such campaigns, (for example by lobbying influential figures or signing a petition), and updates about the progress of our campaigns
- Appeals and fundraising activities – including requests for donations, information about how you can leave us a gift in your will, how you can raise money on our behalf, attend or take part in a fundraising event and updates on the impact that your fundraising activities have had on our work
- Events – including details of our challenges, events, or other sponsored runs and activities, as well as other events such as concerts and dinners in aid of St John. If you sign up to a St John event, we will also send you administrative communications about how you can take part. On occasion we will also send you a reminder about the same event in future years, in case you want to participate in it again
- Products – including information about products offered by our online store
- Volunteering – information about how you can help support St John by giving up your time or using your influence to progress our aims, along with updates on the impact of your work
- Professional services – including details of the professional services that St John offers, such as training, patient transport and youth work.
We will never share or sell your personal data to a third-party organisation for its marketing, fundraising or campaigning purposes.
You can withdraw your consent, unsubscribe from or update your marketing preferences at any point using the details in the ‘Contact us’ section below.
Any electronic communications, such as emails, will have a link to unsubscribe from future electronic communications, so you can manage your own communication preferences.
If you make any changes to your consent, we will update your record as soon as we possibly can. It may take up to 60 days for our systems to update and stop any postal and email communications from being sent to you. If you tell us you do not wish to receive marketing, fundraising or commercial communications, you may still receive transactional and service-based communications confirming and servicing other relationships you have with us (as described below). You can also opt out of receiving marketing communications from us via our Keeping in Touch page.
Where possible, we cleanse and remove out of date data by checking it against publicly available records such as deceased records. This helps us to improve the delivery rate of our mailings and minimise wasted expenditure.
Administrative communications to supporters
In addition to the fundraising and marketing communications that you receive from St John, we will also communicate with you by post, telephone, and email in relation to administrative and transactional matters. For example, we will call you after you have set up a Direct Debit to confirm your details, and upon cancellation. There may also be other occasions where we need to contact you about your donation – for example, if there is a problem with a payment or in relation to your gift aid declaration.
On occasion, we will also contact you about an event that you have signed up to participate in, to – for example – check that fundraising pages have been set up and to provide any other necessary information.
As mentioned above, we may still need to communicate with you for administrative purposes even where you have opted out of marketing communications from us.
4. Supporter research and analysis
We may use profiling and database segmentation techniques to analyse your personal information, and create a profile of your interests, preferences and ability to donate. This allows us to ensure communications are relevant and timely, to provide an improved experience for our supporters. It also helps us understand the background of our supporters so that we can make appropriate requests to those who may be willing and able to donate more than they already do, or leave a gift in their will. This enables us to raise funds quicker and in the most cost-effective way.
Our fundraising team uses information that is already in the public domain (information that has been published in print or online) to identify high net worth individuals who may be interested in supporting our work with a major gift. These publicly available sources of information include Companies House, the electoral register, the phone book, the Charity Commission’s Register of Charities, Who’s Who, LinkedIn, company annual reports, and articles in newspapers and magazines. We do not use publicly available sources which we consider would be intrusive for this purpose, such as Facebook, Twitter, JustGiving, the Land Registry, online planning applications or websites that are like these.
Under data protection legislation, you have the right to object to your data being processed in this way. If you wish to opt out of being identified as a high net worth individual, please contact our fundraising team at this address: email@example.com
We are also legally required to carry out checks on individuals who give us large donations, to comply with our duties in respect of anti-money laundering legislation and the prevention of fraud.
5. St John Ambulance Cymru Training Company Limited
When you purchase an item from our online shop, we may collect certain information from you – including your name, address, phone number, email address, Gift Aid status, marketing preferences, and payment details – so that we can process your purchase or contact you if we have any queries regarding your purchase.
[Where you have purchased an item from our shop we may contact you again about similar products or services. We will always give you the opportunity to opt out of receiving further communications of this nature].
When you provide St John Training Company Limited with your data, it is held and processed by St John. Depending upon the communication preferences you select when registering your details, we may then also contact you for fundraising and marketing purposes, about the activities listed in the fundraising and marketing communications section of this policy.
6. Social media/digital
Depending on your settings or the privacy policies for social media messaging services like Facebook, Twitter, and Instagram, you may receive targeted advertisements through our use of social media audience tools. For example, Facebook’s ‘Custom’ and ‘Lookalike’ Audiences’ programmes enable us to display adverts to our existing supporters when they visit Facebook, or other people who have similar interests or characteristics to our supporters. We may provide your data (including your email address) to Facebook, so it can determine whether you are a registered account holder with them, or so that Facebook create a ‘lookalike’ audience. Our adverts may then appear when you access Facebook. We only work with social media networks that provide a facility for secure and encrypted upload of data, and immediately delete any records not matching with their own user base. For more information, or to manage your social media ad preferences, please see Facebook’s ‘About Custom Audiences’ guide and its Data Policy.
Our website also uses or pixels through third-party service providers that allow us to track conversions and activity on our website as – well as generating advertisements that appear on Facebook and other search engines, like Google, for you and other potential users. Please see our Cookies Policy for more information.
If you receive an email, open it, don’t open it, select a link and/or browse our website, we collect this information to ensure that the information we send to people is received and relevant.
7. Applying for a St John Ambulance Cymru job or volunteer opportunity
When you apply for a job with us, your personal data will be collated to monitor the progression of your application, and the effectiveness of the recruitment process through the statistics collected. Where we need to share your data – such as for gathering references, obtaining a Disclosure and Barring Services check (depends on the role), or a prison clearance (depends on the role) – you will be informed beforehand, unless the disclosure is required by law. These checks are only done after a position has been offered, although we do ask for your permission on our application form to contact your referees prior to an offer of employment. On the application form, you are asked to complete the referee details, and can tick permission to contact referee. If you tick yes, we will automatically send out reference requests. If you tick no, we will contact successful candidates for permission first.
Personal data about unsuccessful applicants are held for six months after the recruitment exercise is complete for that vacancy. You, as an applicant, can ask us to remove your data before this time if you do not want us to hold it. If we feel there is another suitable vacancy available, we will contact the applicant prior to sharing your application details with the relevant manager.
Once you have taken up employment or volunteering with St John, we will compile a file relating to your employment or volunteering with us. The information contained in this will be kept secure and will only be used for purposes directly relevant to your employment or volunteering. Once your employment or volunteering with us has ended, we will retain the file in accordance with the requirements of our retention schedule/legal requirement and then delete it from our records.
8. Professional contacts
We may collect data about professional contacts and partners with whom we work, or to whom we provide professional services – such as training or publications. Personal data collected in this way will be processed in accordance with data protection legislation and this policy.
We may send our professional partners information and updates about our work (primarily by email). Such contacts can opt out of receiving this information at any time.
We maintain a record of information related to MPs and other holders of public office, to enable us to undertake our campaigning activity in furtherance of our charitable aims. This will include keeping a record of contact details such as address, telephone number and email address as well as publicly available voting records and committee and group memberships.
9. Our legal basis for processing personal data
We need a lawful basis to collect and use your personal data under data protection law. The law allows for six ways to process personal data (and additional ways for sensitive personal data). Four of these are relevant to the types of processing that we carry out. This includes information that is processed on the basis of:
- a person’s consent (for example, to send you direct marketing by email or SMS)
- a contractual relationship (for example, to provide you with goods or services that you have purchased from us)
- processing that is necessary for compliance with a legal obligation (for example to process a Gift Aid declaration, and carrying out due diligence on donations)
- St John’s legitimate interests (please see below for more information)
Personal data may be legally collected and used if it is necessary for a legitimate interest of the organisation using the data, if its use is fair and does not adversely impact the rights of the individual concerned.
When we use your personal information, we will always consider if it is fair and balanced to do so and if it is within your reasonable expectations. We will balance your rights and our legitimate interests to ensure that we use your personal information in ways that are not unduly intrusive or unfair. Our legitimate interests include:
- Charity Governance: including delivery of our charitable purposes, statutory and financial reporting and other regulatory compliance purposes.
- Administration and operational management: including responding to solicited enquires, providing information and St Joh services, research, events management, the administration of volunteers and employment, and recruitment requirements
- Fundraising and Campaigning: including administering campaigns and donations, and sending direct marketing by post and email (and in some cases making marketing calls), sending thank you letters, analysis, targeting and segmentation to develop communication strategies, and maintaining communication suppressions
- If you would like more information on our uses of legitimate interests, or to change our use of your personal data in this manner, please get in touch with us using the details in the ‘Contact us’ section below.
10. Disclosure of your personal data
We will not share any of your personal data to any third party – except where:
- the transfer is to a secure data processor, which carries out data processing operations on our behalf (please see section 13 for more information)
- we are required to do so by law, for example to law enforcement or regulatory bodies where this is required or allowed under the relevant legislation
- it is necessary to protect the vital interests of an individual
- we have obtained your consent
We will never share or sell your personal data to a third-party organisation for marketing, fundraising, or campaigning purposes.
11. Security of your personal data
We use appropriate technical and organisational measures and precautions to protect your personal data and to prevent the loss, misuse or alteration of your personal data.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our website. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
We encourage you to review the privacy statements of websites you choose to link to from the St John website, so that you can understand how those sites collect, use and share your information. We are not responsible for the privacy statements, security, or other content on sites outside of the website.
12. Use of data processors
We may use a third-party supplier to manage mailings for fundraising appeals, campaigns, conduct research surveys, storage of your personal information on our behalf or to manage our Data Protection Office. You can find out more about the suppliers that we use by getting in touch with us using the details in the ‘Contact us’ section below.
We actively screen and monitor these companies to maximise the protection of your privacy and security. They are only permitted to use the data in accordance with relevant data protection legislation, under strict instructions from us, and in accordance with a data processing agreement entered into between St John and the supplier.
13. Transfers of data outside of the European Economic Area
We use Microsoft Office 365 and Azure products, which are multi-tenant cloud services, for our internal office use. This means that internal documents and information generated by us are stored in cloud services hosted within the European Economic Area (EEA).
14. Retention of your data
Whatever your relationship with us, we will only store your information for a specified amount of time, as set out in our internal data retention policy.
The length of time that data will be kept may depend on the reasons for which we are processing the data and on the law or regulations that the information falls under, such as financial regulations, Limitations Act, Health and Safety regulation etc., or any contractual obligation we might have – such as with government contracts or if we have a business case, such as with research data. For business case data, we will anonymise the data so no individual is identifiable.
Subject to the above, we will typically store data relating to donors and people who have taken campaign actions for seven years after their last donation or interaction, and people to whom we provide services to for seven years after completion of those services. Personal data about unsuccessful applicants are held for six months after the recruitment exercise is complete for that vacancy.
Once the retention period has expired, the information will be confidentially disposed or permanently deleted.
If you request to receive no further contact from us, we will keep some basic information about you on our suppression list to avoid sending you unwanted materials in the future.
15. Your rights
You have many rights under data protection legislation. These include:
- Right of Access - You have the right to know what information we hold about you and to ask, in writing, to see your records. We will supply any information you ask for that we hold about you as soon as possible, but this may take up to 30 days. We will not charge you for this other than in exceptional circumstances. You will be asked for proof of identity as the person dealing with your request may not be the staff member you have met before. We need to be sure we are only releasing your personal data to you. This is called a data subject access (SARs), and can be done by emailing DPO@stjohnwales.org.uk writing to the Data Protection Officer- St John Ambulance Cymru, Priory House, Beignon Close, Cardiff CF24 5PB
- Right to be informed - You have the right to be informed how your personal data will be used. This policy, as well as any additional information or notice that is provided to you either at the time you provided your details, or otherwise, is intended to provide you with this information.
- Right to withdraw consent - Where we process your data based on your consent (for example, to send you marketing texts or emails), you can withdraw that consent at any time. To do this, or to discuss this right further with us, please contact us using the details in the ‘Contact us’ section below.
- Right to object - You also have a right to object to us processing data where we are relying on it being within our legitimate interests to do so (for example, to send you direct marketing by post). To do this, or to discuss this right further with us, please contact us using the details in the ‘Contact us’ section below.
- Right to restrict processing - In certain situations, you have the right to ask for processing of your personal data to be restricted because there is some disagreement about its accuracy or legitimate usage.
- Right of erasure (right to be forgotten) - In some cases, you have the right to be forgotten (i.e. to have your personal data deleted from our database). Where you have requested that we do not send you marketing materials, we will need to keep some limited information to ensure that you are not contacted in the future.
- Right of rectification - If you believe our records are inaccurate, you have the right to ask for those records concerning you to be updated. To update your records, please get in touch with us using the details in the ‘Contact us’ section below.
- Right to data portability - Where we are processing your personal data because you have given us your consent to do so, you have the right to request that the data is transferred from one service provider to another.
If you have any complaints about the way in which we have used your data, please get in touch with us by using the details in the ‘Contact us’ section below. We would be happy to help and discuss your concerns.
In addition, you are also entitled to make a complaint to:
17. Contact Us
If you have any questions about this policy, would like more information, or want to exercise any of the rights set out in section 15 above, you can get in touch with our Data Protection Officer in the following ways:
Telephone: 0300 2011 999
By Post: Data Protection Officer, St John Ambulance Cymru, Priory House, Beignon Close, Cardiff CF24 5PB.
If you have any complaints or comments about other areas of our work you can contact us on firstname.lastname@example.org