Privacy and data protection policy
Updated: 24 December 2019
At the National Autistic Society, we are committed to protecting your privacy. This policy has been written in accordance with the Data Protection Act 2018, which complements the General Data Protection Regulation. If you have any questions regarding our management of your personal data, or wish to lodge a complaint about how we use your information, please contact:
Data Protection Officer
The National Autistic Society
393 City Road
London EC1V 1NG
How do we collect information?
- When you interact with us. We collect personal information from you when you submit a form, register with our website, make a purchase, make a donation, or otherwise provide us with personal information, whether online, on the phone or via post.
- When you interact with third parties. We may also receive information about you from third parties, for example when you sign up to fundraise for the National Autistic Society using a service such as JustGiving. Where we obtain your details from a third party, we will process the data to the same standards set out in this policy.
- Publicly available information. Very occasionally, we may access publicly available information from newspapers, or other media such as LinkedIn, to support our charitable activities. Such information is used to assess your likely interest in supporting the National Autistic Society and any subsequent data processing or contact is subject to the standards set out in this policy.
What information do we collect?
The types of information collected will typically include: your name, date of birth, e-mail address, full postal address and telephone number. We will also collect, and securely hold, data you supply us related to a financial donation, or Direct Debit mandate, or to allow us to claim Gift Aid. We do not keep on record data related to social media usage or accounts.
Sensitive personal information. Some data – around your health or ethnicity, for example – is classified as sensitive and therefore needs to be handled more securely. We have proper processes in place for making sure that such data is handled with the utmost care and only in relation to the purpose it is submitted.
We may collect personal sensitive information when asking demographical questions as part of a survey response. These responses will be used in aggregated format and anonymously, for the purpose of analysing survey results only. We will not retain the data for longer than needed and will ensure it is securely deleted after use.
As standard, we ask people to answer a multiple-choice ‘connection with autism’ question on our data capture forms. Some answers – in which an individual identifies as autistic, for example – may be deemed as containing sensitive personal information, and we treat all such responses accordingly. This data is kept securely and used only to help the National Autistic Society better tailor its communications.
How do we use this information?
We will use your personal information to provide you with the services, products or information you have requested, for administrative purposes – such as processing a donation – and, if you allow it, to further our charitable aims, including contacting you about our fundraising and campaigning activities. We will not use your personal data for any purpose other than the ones which we have stated to you. We will always use an appropriate legal basis for processing your data and are committed to handling your information according to the principle of lawfulness, fairness and transparency.
To help us communicate more effectively with our supporters, we sometimes undertake geo-demographic analysis, using – in anonymised format – the information you have provided to us.
We hold your data on a secure database and in usable format only for as long as is required, up to a maximum of four years, or for as long as we are required to do so by law (for example, we may need to keep a record of any financial transactions for a pre-determined period of time).
Where we use service providers – such as fundraising services suppliers, fulfilment partners, and data, digital or IT service agents – to help us carry out our charitable activities, meet our organisational aims, and to ensure that our records are kept up-to-date, then we ensure that our contracts with these providers protect your information, and prevent its use for any other purpose.
We only use your personal information for direct marketing purposes if we have your consent (for electronic communications) or where we already have an existing relationship with you (for postal or telephone communications). If you no longer want to hear from us, please let us know by emailing firstname.lastname@example.org or calling 0808 800 1050.
You can change or withdraw your consent for us to hold or to use your personal data for the purposes set out above by emailing email@example.com or calling 0808 800 1050. Alternatively, you can write to us at 393 City Road, London EC1V 1NG.
We try to ensure that any changes to your personal data are enacted as soon as the request is processed, which is usually within two working days. Please note, however, that due to the way our communications are prepared this can take up to four weeks to come into effect.
Please also note that withdrawal of consent will not stop us from sending you administrative communications where necessary (for example, to deliver you information about a purchase or subscription service).
How do we protect personal information?
We use secure servers when you make a donation or purchase through our website. We also take appropriate measures to ensure that the information disclosed to us is kept secure, accurate and up to date and only for so long as is necessary.
We may occasionally need to transfer your information to countries or jurisdictions that do not provide the same level of data protection as the UK. This is usually to the USA, where we rely on the bilateral EU/US Privacy Shield agreement to protect your data. If we do make such a transfer, we will, where necessary, put a contract in place to ensure your information is properly safeguarded and protected in line with UK law.
Under current data protection laws, you are free to exercise at any time the following rights:
- Access. You have the right to ask for a copy of the information we hold about you.
- Portability. You can request that your information is supplied to you in a readily usable electronic format.
- Rectification. You have the right to have any inaccuracies in your personal details corrected.
- Erasure. You can also request that we remove your records from our database.
- Restriction. You can also tell us to stop using your data for a specific purpose.
- Objection. You can object to us using your personal data for any purpose and regardless of the legal basis for processing.
You can exercise any or all of these rights by emailing firstname.lastname@example.org, calling 0808 800 1050, or writing to us at 393 City Road, London EC1V 1NG. We will acknowledge receipt of all such requests within three working days and fully respond within four weeks.
Making a complaint
If you are in any way unsatisfied with how we process your data, you should contact our Data Protection Officer. We will acknowledge your complaint within three workings days and respond to you in full as soon as we can.
You have the right to speak to the UK’s national data protection authority, the Information Commissioner’s Officer, at any time and about any organisation’s information rights practices. The Office can be contacted online or through a dedicated Helpline (0303 123 1113).
Changes to personal details
If your personal details change, please help us to keep your information up to date by notifying us.
You can do this by:
- emailing email@example.com
- changing your details in your profile if you are registered with our website
- posting your changes to us at 393 City Road, London EC1V 1NG.
We reserve the right to amend this privacy statement so please do check back from time to time. If we do so, we will post notice of the change on our website and make every effort to inform you of any material changes to the policy. This policy will have been provided to you – either in full or via hyperlink – at the time your data was submitted to the National Autistic Society.