Who we are
Epilepsy Society (the Data Controller) is the UK’s leading provider of epilepsy services. Through our cutting edge research, awareness campaigns, information resources and expert care, we work for everyone affected by epilepsy in the UK. Epilepsy Society is a Registered Charity No. 206186 and a Company Limited by Guarantee No. 492761, located at Chesham Lane, Chalfont St. Peter, Buckinghamshire SL9 0RJ. Our website is owned and operated by Epilepsy Society.
Our promise to you
We promise to respect any personal data you share with us, or that we get from other organisations and keep it safe. We aim to be clear when we collect your data and not do anything you wouldn’t reasonably expect.
We balance your rights as an individual and take every possible step to protect the privacy of the people who contact us. We make sure that we only use your information in the way you have told us that you are happy with. Our staff are trained in data collection and we ensure our systems are fully secured.
Why we collect your data
We will process your personal data when you:
- sign up for our e-newsletter or event
- contact us by email
- carry out a transaction through our online shop
- make a donation
- receive support from one of our services
- apply to work for us
- join through our membership form
- complete a survey
Website service administration and analysis
Your basic personal data will help us to provide you with information on our services and to enable our fundraising activities and administration of our charity and to comply with our obligations to keep records (for example for HMRC when we receive Giftaid donations).
Developing a better understanding of our supporters through their personal data allows us to tailor our communications and make better decisions on how and what we communicate with you.
If you do not provide us with the data we may be unable to complete an order for you or reclaim tax when you have requested us to do so.
What type of information do we collect about you?
The type and quantity of information we collect and how we use it depends on why you are providing it.
Typically, the basic personal information we collect will include:
- your name
- your contact details
- your date of birth
- Your gender
- Your email address
- Your telephone number
If you have made a donation, we may collect the reason for donating to Epilepsy Society and your bank details (for Direct Debits).
If you receive support from one of our services we will collect more detailed information about you. This could include information about your medical conditions and your support needs. We will also collect information about family, where it is required, such as next of kin and emergency contacts.
Lawful basis for processing your data?
Organisations are permitted to process data if they have a legal basis for doing so. Epilepsy Society processes your personal data on the basis that:
- You have given your express and informed consent to the processing; and/or
- Epilepsy Society has a legitimate interest in processing your personal data; and/or
- The processing of the personal data is necessary in relation to a contract or agreement which you have entered into or because you have asked for something to be done so you can enter into a contract or agreement; and/or
- There is a legal obligation on Epilepsy Society to process your personal data.
Where Epilepsy Society is relying solely on consent as the basis for processing your personal data, we are required to obtain, and keep records, of your consent. You can modify or withdraw this consent at any time by notifying us in writing, although this may affect the extent to which we are able to interact with you in future.
Notwithstanding any change to this policy, we will continue to process your personal data in accordance with your rights and our obligations in law.
Marketing and fundraising
We would like to use your name and email address to inform you of our future marketing and fundraising activities. You can unsubscribe at any time via phone, email or our website.
We carry out targeted fundraising activity to ensure that we are contacting you with the most appropriate communication, which is relevant and timely and will ultimately provide an improved experience for you. In doing so, we may use wealth profiling techniques to provide us with information about you. Such information is compiled using publicly available data about you or information that you have already provided to us.
We keep your personal information only for as long as required to operate the service in accordance with legal requirements, tax and accounting rules or to effectively steward our supporters. Where information is no longer required, we will ensure it is disposed of in a secure manner.
We will not use your personal information for marketing purposes if you have indicated that you do not wish to be contacted by us for such purposes. However, we will retain your details on a suppression list to help ensure that we do not continue to contact you.
It is always your choice as to whether you want to receive information from us. You may opt-out of our marketing communications by clicking the ‘unsubscribe’ link in at the end of our marketing emails or through our unsubscribe number 01494 601 300.
You can change any of your contact preferences at any time (including telling us that you don’t want us to contact you for marketing purposes by telephone, or by post) by contacting our Data Protection Officer, James Rutter at email@example.com.
Third Party data
Website users and Cookies
Google analytics and tagging
Wherever possible when capturing user data on the website for Google Analytics we use aggregated or anonymous information which does not identify individual visitors to our websites. We will only use technologies such as pixel tags and link tagging to track and improve the user experience on our sites, quality of service and to monitor the effectiveness of campaigns and digital marketing activity.
What is a cookie?
A cookie is a small text file of letters and numbers that a website’s server saves to your computer.
Cookies provide useful information that can help in many ways, for example:
They mean you can use a site more efficiently and save time by not having to re-enter your full login details or preferences each time you visit.
They can make sure you receive the most relevant information and advertising from the site.
Cookies can help analyse how visitors interact with a site so that it can be improved.
Epilepsy Society website cookies
Our website uses the following types of cookies:
Strictly necessary cookies - These cookies are essential in enabling you to move around the website and use its features.
Functionality cookies - These cookies remember choices you make to improve your experience.
Performance cookies - These cookies allow us to recognise and count the number of visitors and to see how visitors move around the site when they’re using it. This helps us to improve the way our website works, for example by making sure users are finding what they need easily.
Targeting cookies - These cookies are for 'behavioural advertising' or 'remarketing'. They track your visits around the web and show you relevant online adverts based on your interests. We use carefully selected third parties to set these cookies during your visit.
Some of the cookies we use are session cookies and others are persistent cookies. A session cookie only lasts for the duration of your visit to the website. A web browser normally deletes session cookies when the browser is closed. A persistent cookie will outlast your visit. For example, these cookies could be used to record a vital piece of information such as your preferences.
None of the cookies we use collect personal data about our website visitors.
By using our website, you agree that we can place these types of cookies on your computer.
How to reject cookies
Most of the website will work without cookies but please note that cookies may be necessary to provide you with access to certain parts of this website or to certain features available on our website (for example, your membership area username will not be remembered if you reject cookies).
You can also opt out of Google Analytics tracking by installing a browser plug-in from Google.
Cookies from third parties
Cookies which are from trusted third parties
We utilise the technology of third parties on a regular basis to ensure that we are using up to date systems which are managed by the best companies to provide us with the information that we need. This in turn means that there will be a number of third party cookies from our trusted suppliers used on our websites. Each company is responsible for the cookies that they place onto your device and have separate policy documents to highlight their use.
Our list of trusted third parties who may deploy a cookie to your device, with a link to their cookie details is below:
First party cookies
(Cookie name: OAID)
A persistent cookie used to track banner click activity for analytical purposes.
Google Analytics cookies
(Cookie names: __utma, __utmb, __utmc, __utmz)
__utma is a persistent cookie, which expires after two years. It stores each user's amount of visits, the time of the first visit, the previous visit and the current visit.
__utmb and __utmc cookies work in tandem to calculate the length of a user’s visit. __utmb cookie registers the entrance time of a visitor and __utmc registers the exit time of a visitor. __utmb is a session cookie, and expires when the user leaves the page. __utmc expires a short time after the user’s visit ends.
__utmz is a persistent cookie, which expires after six months. __utmz stores where a visitor came from (search engine, search keyword, link).
For more information on Google Analytics cookies, please see the Google privacy information.
You can opt out of Google Analytics tracking by installing a browser plug-in from Google.
Strictly necessary cookies
Online shop/donations/transactions cookie
(Cookie name: PHPSESSID)
A session cookie used to keep track of when your online shop/online donation/online transaction session is started/ended.
Membership area login cookies
(Cookie names: __ac cookie, __ac_name, __ac_password, __ac_persistent, login_form, logged_out)
__ac cookie and __ac_name are both used by the site to identify a logged in user. __ac_password is used by the site to identify the user’s password. __ac_persistent, login_form and logged_out are in place to allow the 'Remember my username' option to function.
What we do with your personal information
All the personal data we process is processed by our staff in the UK. For the purposes of IT hosting and maintenance this information is located on servers within the UK and we will not transfer your personal data outside the EEA. No 3rd parties have access to your personal data unless the law allows them to do so.
We have a Data Protection programme in place to oversee the effective and secure processing of your personal data. We do not use any automated decision making.
Keeping your data
We review our retention periods for personal information on a regular basis. We are legally required to hold some types of information to fulfil our statutory obligations (for example the collection of Gift Aid). We will hold your personal information on our systems for as long as is necessary for the relevant activity, for as long as is set out in any relevant contract you hold with us or for as long as is set in our retention schedule.
If you would like to know how long we keep your information for, please contact our Data Protection Officer.
You have various rights under the GDPR. In particular, you may object to the processing* of your personal data. When you want to exercise one of these data subject rights – and you are eligible to –Epilepsy Society will respond according to the GDPR.
- The right of access: you have the right to know whether Epilepsy Society is processing data about you and, if so, you can request access to it.
- The right to rectification: if your personal data is inaccurate, Epilepsy Society will correct it.
- The right to erasure or right to be forgotten: you are able to ask to delete your personal data if you no longer want it to be processed and there is no legitimate reason for Epilepsy Society to keep it.
- The data subject right to restriction of processing: you have the right to limit the processing of your personal data.
- The right to be informed. you have the right to clear and understandable information about who is processing your data, what they are processing and why they are processing it.
- The right to data portability: you have the right to ask us to transfer your personal data to another service provider.
- The right to object: you can say if you don’t want the personal data processing to be done or going on.
- The right not to be subject to a decision based solely on automated processing: including profiling, which produces legal effects or significantly affects you.
If you wish to exercise any of the above rights please send a written request to: firstname.lastname@example.org
Alternatively you may call us on 01494 601300 or post your request to:
Data Protection Officer
Chalfont St Peter
If you are not satisfied with our response or believe we are not processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office (ICO) at https://ico.org.uk/concerns/,
Sharing your story
Some people choose to tell us about their experiences with epilepsy to help further our work. They may take on a role as a media contact, attend our events or sit on our committees. This may include them sharing sensitive information related to their health and family life in addition to their biographical and contact information.
We make sure we have the explicit and informed consent of the individuals, or their parent or guardian if they are under 18, before any information is made public by us at events, in materials promoting our campaigning and fundraising work, or in documents such as our annual report.
All calls to the helpline are confidential. This means that the helpline will not share anything about you with anyone else, unless you ask us to do so or in the very limited circumstances we have explained below.
We do not record your call to us, but we do record some statistical information about each call, for example, gender, whether you have epilepsy yourself, know someone who has epilepsy or are calling from an organisation, and the time and duration of your call. This data helps us understand who is using our helpline which helps us understand if there are things we should differently. From time to time staff may listen in to calls for training, or support. Those staff are bound by the same rules of confidentiality as the call handler.
All emails to the helpline are confidential. This means that the helpline will not share your email with anyone else, unless you ask us to do so, or your enquiry is best answered by another department within Epilepsy Society who will of course, also treat it as confidential. We only record the number of emails we receive to the helpline email address.
Why we need it
To help us to improve our service, staff may listen in to your call with us. We may take notes during your call to help us to understand your situation. We may need to know your basic personal data in order to send you any information you request during your call to us. We use statistical information about your call to produce reports, to help us to improve the service we provide. We do not pass on the details of anyone contacting our service to anyone else, except in the following situations:
- We receive a call threatening terrorist activities.
- You specifically ask us to pass on information about you to someone else.
- You are in a situation that has or may cause you harm, you have given us information that identifies you, and you are not able to make a decision for yourself.
- You give us information that can identify someone who has caused harm or who threatens to cause harm to someone else.
- You threaten the safety of our helpline staff.
- You compromise our service by making it difficult for other people to contact us or by misusing our service. If this happens, we may take a decision to limit access to our services.
We are satisfied that we have a legitimate interest in processing the limited amount of data that we have in order to provide support for people with epilepsy and their families and other people who may have concerns about this condition and that we take every possible step to protect the privacy of the people who contact us.
What we do with it
Any personal data we collect is processed by our helpline staff in the UK.
Unless one of the situations arises where we have to pass on your information as explained, the only records of your call that are retained are the metadata (the number you called from, date, time and duration of the call). We use call metadata for reporting purposes and to analyse the efficiency of our Helpline service.
We have a Data Protection regime in place to oversee the effective and secure processing of your personal data. We do not use any automated decision making.
How long we keep it
Any notes taken during the call are securely disposed of securely at the end of each shift. Call metadata is retained for analysis and reporting purposes. We will retain data in accordance with our data retention policy which is currently being finalised.
Emails to the helpline are retained for 45 days for analysis and reporting purposes. We will retain data in accordance with our data retention policy.
Complaints, compliments or comments
Please let us know if you have any concerns about what we do, what you think is going well and where you think we could improve. We will take your comments seriously and they will help us get better. Use our online form to lodge a complaint, compliment or comment .
Use of Zoom for remote working
For all our video meeting calls we use Zoom a GDPR compliant platform with full end-to-end encryption. This means that everything you say during a session is kept secure and confidential between you and the person (or persons in group calls) you’re talking to. In addition, we guarantee no recording of any of our meetings without your explicit consent, All recordings are held in a secure environment and are automatically deleted after 30 days. We recognise that privacy is extremely important to you and an essential part of our service.