Prostate Cancer Research (PCR) Privacy Policy

About PCR

PCRC is a charitable incorporated organisation; it is registered with the Charity Commission (charity number 1156027) and Companies House (company number CE001019).

This Privacy Policy sets out the basis on which any personal information we collect from you, or that you provide to us, will be processed by us. Please read this Privacy Policy carefully to understand our views and practices regarding your personal data and how we will treat it.
In meeting its charitable purposes, PCR processes as a data controller the personal data of the following categories of people (click heading in the section below to jump to specific policy):

1. Patients
2. Donors and fundraisers
3. Volunteers
4. Legacy pledgers
5. Email subscribers
6. Trustees
7. Job applicants

There are audience-specific privacy policies for each of the categories listed above that support this Privacy Policy. We encourage you to read the policy that is relevant to your relationship with us for more detail on how we manage and use your personal data.
We may need to change or update this Privacy Policy from time to time and if we do so we will post the changes here. Where the changes are significant, we will inform individuals.

PCR audience-specific privacy policies

1. If you are a patient

What personal information do we collect?

The personal information we collect from prostate cancer patients [and family members] may include:

• Your title, name, address and contact information (telephone number(s) and/or email address(es))
• Your date of birth
• Your gender
• Your nationality and ethnicity
• Your background and family situation
• Photographs
• Medical information (see below: What about special category data?)
• Records of your communications with us
• Information gathered through surveys or forms you have filled out

What about special category data?
For specific projects and where stated, we may collect health information.

Certain categories of personal information are recognised in law as sensitive, including health information and information regarding race, religious beliefs and political opinions (‘special category data’). Special category data can be a valuable asset in assisting us in our scientific research, and we only collect it when we have a legal basis to do so and that legal basis is supported by a condition for processing.

How do we collect your personal information when you give it to us directly?

We collect personal information that you may provide to us including when you:

• agree to participate in a research project;
• complete a survey; or
• to be interviewed about your experiences for the purposes of informing our research strategy

How do we collect your personal information when you give it to us indirectly?

• This may include data for which you have given consent to an academic institution to share for the purposes of research

How do we use your information and what is our legal basis for processing it?

We will only process your information if we have a legal basis for doing so, including: –

Where you have granted us consent, for example: –
• To participate in a research project: where any health data (or other special category data) is involved in our research, we rely on the “explicit consent” condition for processing that information.

Where we have a legitimate interest, for example: –
• To administer our internal operations, including the administration of activities involving our partners; or
• To improve our services to ensure that any content is presented to you in the most effective manner for you.

We also use the information you provide in an anonymised form for the following purposes: –
• Assist us in selecting new research projects
• Refine and improve our services
• Produce reports such as our annual report or reports for donors

What other organisations do we share your information with?

We may share your personal information with our service providers/data processors so that they can carry out work on our behalf. Whenever we engage a third party to act on our behalf we ensure that the contract we enter into with them require them to comply with UK data protection laws, to process your information only for the purposes we specify and to make sure they have the appropriate controls in place to protect the security of your information.

Examples of service providers/data processors include: Stripe and WordPress who work with us to process online donations.

We may also share your personal data with partner organisations that work with us to deliver a service you have signed up for or with partner research organisations that are working with us to deliver a research project.

How long do we keep your information?
Subject to any other relationship you have with us, such as being a donor or fundraiser, we retain personal data for as long as we require it.

2. If you are a donor or fundraiser

What personal information do we collect?

The personal information we collect from you may include:

• Your title, name, address and contact information (telephone number(s) and/or email address(es))
• Your date of birth
• Your background and family situation
• Photographs
• Details of your donations, including Gift Aid information, and financial data relating to donation payments. For example, if you donate by direct debit or standing order, we keep bank account details to set up and collect payments. If you wish to donate by credit card or debit card, your card details are collected in order to process your payment.
• Records of your communications with us
• Information gathered through surveys or forms you have filled out
• Your IP address(es) and information relating to what pages have been viewed and any information volunteered by you when your browse our website, and we may also track if you are opening and engaging with the service emails we send you.

In addition to the above, when you visit our website we use cookies to improve your experience and personalise the service you receive. See our cookies policy for more information.

What about special category data?

Certain categories of personal information are recognised in law as sensitive, including health information and information regarding race, religious beliefs, and political opinions (‘special category data’) and personal data relating to criminal convictions and offences.

We do not routinely collect special category data of our donors and fundraisers but when we do, there is a clear reason for doing so, such as accessibility or dietary requirements for events, or due diligence in respect of major donations.

How do we collect your personal information when you give it to us directly?

We collect personal information that you may provide to us including when you:

• make a donation or complete a Gift Aid declaration;
• respond to an invitation or attend an event; or
• tell us that you are fundraising for us.

How do we collect your personal information when you give it to us indirectly?

We collect personal information that you may provide to us including when you:

• register for a challenge event (e.g. the London Marathon) and the organisers of that event share your information with us;
• When we conduct desktop research: to build PCRC’s income for research purposes, we may research our donors’ interests and preferences to ensure appropriate communications are issued. In addition to sourcing relevant geographic and demographic data, we use publicly available third-party data – for addresses, directorships or typical earnings within a selected region. This means we may seek information relating to your profession, professional qualifications and related information (e.g. your job title, employer, professional history, any business interests etc.). This provides insight into our current and potential supporters, and their possible motivations. PCRC conducts measured, appropriate and cost-effective campaigns for the purpose of increasing charitable income.
• When you have given consent to an academic institution to share your data for the purposes of research.

When we collect it as you use our website

We collect information about the services you use and how you use them in a number of ways, including:

• When you visit our website, including through the use of cookies, we may automatically collection information about your equipment, browsing actions and patterns. See our cookie policy for more information; or
• When you view and interact with our emails and content

How do we use your information and what is our legal basis for processing it?

We will only process your information if we have a legal basis for doing so, including: –

To fulfil a contractual obligation, for example: –
• When you register for an event
• To dispatch fundraising materials to you that you have purchased or ordered free of charge

Where you have granted us consent, for example: –
• To contact you if you subscribe to a mailing list
• To share fundraising information with you by email

Where we have a legitimate interest, for example: –
• To send you a thank you communication for your donation(s)
• To contact you with fundraising information or an administrative enquiry relating to your donation by post or phone
• To manage, review and/or assess any actual or potential contributions, whether these be through financial support, or in-kind donations;
• To administer our internal operations, including the administration of activities involving our partners; or
• To improve our services to ensure that any content is presented to you in the most effective manner for you.

Where we are required by law to process your information, for example: –
• To make a Gift Aid claim
• To facilitate health and safety requirements at an event

We also use the information you provide in an anonymised form for the following purposes: –
• Monitor and evaluate the impact of our programmes
• Refine and improve our services
• Produce reports, such as our annual report or reports for donors

What other organisations do we share your information with?

We may share your personal information with our service providers/data processors so that they can carry out work on our behalf. Whenever we engage a third party to act on our behalf we ensure that the contract we enter into with them require them to comply with UK data protection laws, to process your information only for the purposes we specify and to make sure they have the appropriate controls in place to protect the security of your information.

Examples of service providers/data processors include: –
• Our email distribution service provider;
• Manage donations through our website;
• Manage donations through third parties, e.g. payroll giving
• Any organisations that assist us with events that we are holding

We may also share your personal data with partner organisations that work with us to deliver a service you have signed up for.

How long do we keep your information?

We keep your data for as long as necessary for the purposes set out in this Privacy Policy. The retention period will vary according to the nature of the purpose under which the information is held. For example we retain Gift Aid declarations in accordance with HMRC guidance, which in the case of a one-off donation is generally six years from the end of the accounting period in which the donation is received; the period is longer in the case of a declaration that applies to a series of donations or if an HMRC query is received during the normal retention period.

3. If you are a volunteer

What personal information do we collect?

PCRC engages a range of individuals on a voluntary basis. Our volunteers include members of the public, [(e.g. patrons, ambassadors)] and pro bono advisors (e.g. lawyers or scientists).

The personal information we collect from you may include:

• Your title, name, address and contact information (telephone number(s) and/or email address(es))
• Your date of birth
• Your gender
• Next of kin/emergency contact information
• Photographs
• Records of your communications with us
• Your profession, professional qualifications and related information (e.g. your job title, employer, professional history, any business interests, any potential conflicts of interest etc.)

What about special category data?

Certain categories of personal information are recognised in law as sensitive, including health information and information regarding race, religious beliefs, and political opinions (‘special category data’) and personal data relating to criminal convictions and offences.

We do not routinely collect special category data of our volunteers but when we do, there is a clear reason for doing so (e.g. to discharge our equality and diversity requirements).

How do we collect your personal information when you give it to us directly?

We collect personal information that you may provide to us including when you:

• make a donation or complete a Gift Aid declaration;
• respond to an invitation or attend an event; or
• tell us that you are fundraising for us.

How do we collect your personal information when you give it to us indirectly?

We collect personal information that you may provide to us including when you:

• apply for a volunteer role through a third-party, such as DoIt.org.
• forward your information through a private contact

How do we use your information and what is our legal basis for processing it?

We will only process your information if we have a legal basis for doing so, including: –

To fulfil a contractual obligation, for example: –
• To facilitate the terms of a volunteering agreement

Where we have a legitimate interest, for example: –
• To administer our internal operations, including the administration of activities involving our partners

Where we are required by law to process your information, for example: –
• To discharge our health and safety, and equality and diversity obligations

What other organisations do we share your information with?

We may share your personal information with our service providers/data processors so that they can carry out work on our behalf. Whenever we engage a third party to act on our behalf we ensure that the contract we enter into with them require them to comply with UK data protection laws, to process your information only for the purposes we specify and to make sure they have the appropriate controls in place to protect the security of your information.

Examples of service providers/data processors include: –
• Any organisations that assist us with events that we are holding that you may be volunteering at;

We may also share your personal data with partner organisations that are working with us to deliver our volunteering.

How long do we keep your information?

Subject to any other relationship you have with us, such as being a donor or fundraiser, we retain volunteer data for as long as we require it.

4. If you have made a gift in your will or left a legacy

What personal information do we collect?

The personal information we collect from you may include:

• Your title, name, address and contact information (telephone number(s) and/or email address(es))
• Your date of birth
• Your background and family situation
• Photographs
• Medical information
• Details of your donations, including Gift Aid information, and financial data relating to donation payments. For example, if you donate by direct debit or standing order, we keep bank account details to set up and collect payments. If you wish to donate by credit card or debit card, your card details are collected in order to process your payment.
• Records of your communications with us
• Information gathered through surveys or forms you have filled out
• Your IP address(es) and information relating to what pages have been viewed and any information volunteered by you when your browse our website, and we may also track if you are opening and engaging with the service emails we send you.

What about special category data?

Certain categories of personal information are recognised in law as sensitive, including health information and information regarding race, religious beliefs, and political opinions (‘special category data’) and personal data relating to criminal convictions and offences.

We do not routinely collect special category data of individuals that may have decided to leave us a legacy in their Will but when we do, there is a clear reason for doing so.

How do we collect your personal information when you give it to us directly?

We collect personal information that you may provide to us including when you:

• tell us that you intend to gift us a legacy in your will

How do we collect your personal information when you give it to us indirectly?

We collect personal information that you may provide to us including when you:

• instruct your solicitor or other third-party individual or organisation to let us know that you have left a legacy in your will

How do we use your information and what is our legal basis for processing it?

We will only process your information if we have a legal basis for doing so, including: –

To fulfil a contractual obligation, for example: –
• To facilitate the terms of your volunteering agreement

Where we have a legitimate interest, for example: –
• To administer our internal operations, including the administration of activities involving our partners

We also use the information you provide in an anonymised form for the following purposes: –

• Monitor and evaluate the impact of our research programmes
• Refine and improve our services
• Produce reports such as our annual report or reports for donors

What other organisations do we share your information with?

How long do we keep your information?
Subject to any other relationship you have with us, such as being a donor or fundraiser, we retain personal data for as long as we require it.

5. If you subscribe to updates via email

What personal information do we collect?

The personal information we collect from email subscribers may include:

• Your title, name, address and contact information (telephone number(s) and/or email address(es))
• Your date of birth
• Your gender
• Photographs
• Details of your donations, including Gift Aid information, and financial data relating to donation payments. For example, if you donate by direct debit or standing order, we keep bank account details to set up and collect payments. If you wish to donate by credit card or debit card, your card details are collected in order to process your payment.
• Records of your communications with us
• Information gathered through surveys or forms you have filled out
• Your IP address(es) and information relating to what pages have been viewed and any information volunteered by you when your browse our website, and we may also track if you are opening and engaging with the service emails we send you.

In addition to the above, when you visit our website we use cookies to improve your experience and personalise the service you receive.

What about special category data?

Certain categories of personal information are recognised in law as sensitive, including health information and information regarding race, religious beliefs, and political opinions (‘special category data’) and personal data relating to criminal convictions and offences.

We do not routinely collect such information about our email subscribers unless that information has been manifestly made public by you (for example, where you have published your political opinions/affiliations). If we do need to collect special category data, we will only do so when we have a legal basis and that legal basis will be supported by a condition for processing.

How do we collect your personal information when you give it to us directly?

We collect personal information that you may provide to us including when you:

• confirm your subscription to receive our newsletter emails; or
• respond to any invitations included in those emails

How do we collect your personal information when you give it to us indirectly?

When we collect it as you use our website

We collect information about the services you use and how you use them in a number of ways, including:

• When you visit our website, including through the use of cookies, we may automatically collect information about your equipment, browsing actions and patterns. See our cookies policy for more information; or
• When you view and interact with our emails and content

How do we use your information and what is our legal basis for processing it?

We will only process your information if we have a legal basis for doing so, including: –

Where you have granted us consent, for example: –
• To contact you if you subscribe to our mailing list with marketing emails, newsletters and updates, and/or information on our research activities
• To let you know about our programmes and any events that we may be hosting

Where we have a legitimate interest, for example: –
• To improve our services to ensure that any content is presented to you in the most effective manner for you

We also use the information you provide in an anonymised form for the following purposes: –
• Monitor and evaluate the impact of our programmes
• Refine and improve our services
• Produce reports such as our annual report or reports for donors
• To advocate for women entrepreneurs around the world

What other organisations do we share your information with?

We may share your personal information with our service providers/data processors so that they can carry out work on our behalf. Whenever we engage a third party to act on our behalf we ensure that the contract we enter into with them require them to comply with UK data protection laws, to process your information only for the purposes we specify and to make sure they have the appropriate controls in place to protect the security of your information.

For our email subscribers, we share your personal information with our email distribution service provider that sends out and helps us tailor our emails, and we will not share it with any other third parties without your explicit consent.

How long do we keep your information?

Subject to any other relationship you have with us, such as being a donor or fundraiser, we retain personal data for as long as we require it. We keep contact information about our email subscribers to ensure we deliver the information requested. However, after a contact unsubscribes, we retain a minimal amount of data (name and email address) in case a request is received to re-subscribe, to track the consent and communication history of the individual, or to get in touch for administrative purposes.

6. If you are a trustee

What personal information do we collect?

Our Board of Trustees have overall control of a charity and lead it to ensure that its activities are aligned to its charitable objectives. The personal information we collect may include:

• Your title, name, address and contact information (telephone number(s) and/or email address(es))
• Your date of birth
• Your nationality and ethnicity
• Your profession, professional qualifications and related information (e.g. your job title, employer, professional history, any business interests etc)
• Photographs
• Records of your communications with us

What about special category data?

Certain categories of personal information are recognised in law as sensitive, including health information and information regarding race, religious beliefs, and political opinions (‘special category data’) and personal data relating to criminal convictions and offences.

We do not routinely collect such information about our Trustees unless that information has been manifestly made public by you (for example, where you have published your political opinions/affiliations). If we do need to collect special category data, we will only do so when we have a legal basis and that legal basis will be supported by a condition for processing.

How do we collect your personal information when you give it to us directly?

We collect personal information that you may provide to us including when you:

• complete trustee appointment documents;
• provide identification documents;

How do we collect your personal information when you give it to us indirectly?

When appointed as a Board member, we may collect references prior to approving your application.

How do we use your information and what is our legal basis for processing it?

We will only process your information if we have a legal basis for doing so, including: –

To fulfil a contractual obligation, for example: –
• To administer trustee indemnity insurance;

Where you have granted us consent, for example: –
• To request references

Where we have a legitimate interest, for example: –
• To register your details at the Charity Commission on your appointment;
• To ensure no Conflicts of Interest

Where we are required by law to process your information, for example: –
• To comply with our obligations under charity law
• We may need to disclose your details if required to regulatory bodies or legal advisors. Our regulatory bodies include HMRC, the Charity Commission, the Information Commissioner’s Office and the Fundraising Regulator.

What other organisations do we share your information with?

We may share your personal information with our service providers/data processors so that they can carry out work on our behalf. Whenever we engage a third party to act on our behalf we ensure that the contract we enter into with them require them to comply with UK data protection laws, to process your information only for the purposes we specify and to make sure they have the appropriate controls in place to protect the security of your information.

Examples of service providers/data processors include: –
• Stripe and WordPress who work with us to process online donations

How long do we keep your information?
We only keep your data for as long as necessary for the purposes set out in this Privacy Policy. The retention period will vary according to the nature of the purpose under which the information is held. For example:
• We retain Gift Aid declarations in accordance with HMRC guidance, which in the case of a one-off donation is generally six years from the end of the accounting period in which the donation is received; the period is longer in the case of a declaration which applies to a series of donations or if an HMRC query is received during the normal retention period.

7. If you have applied for a job

What personal information do we collect?

The personal information we collect may include:

• Your title, name, address and contact information (telephone number(s) and/or email address(es))
• Your date of birth
• Your nationality and ethnicity
• Photographs
• Records of your communications with us
• Information gathered through surveys or forms you have filled out

What about special category data?

Certain categories of personal information are recognised in law as sensitive, including health information and information regarding race, religious beliefs, and political opinions (‘special category data’) and personal data relating to criminal convictions and offences.

We may collect special category data in order to discharge our equality and diversity obligations. We will only collect special category data when we have a legal basis to do so and that legal basis is supported by a condition for processing.

How do we collect your personal information when you give it to us directly?

We collect personal information that you may provide to us including when you:

• fill out a job application form;
• provide identification documents

How do we collect your personal information when you give it to us indirectly?

We only collect personal data about job applicants indirectly if it is being passed to us by a recruiter or via a reference request.

How do we use your information and what is our legal basis for processing it?

We will only process your information if we have a legal basis for doing so, including: –

Where you have granted us consent, for example: –
• To request references

Where we are required by law to process your information, for example: –
• To comply with our obligations under charity law
• To comply with our health and safety, and equality and diversity obligations
• We may need to disclose your details if required to regulatory bodies or legal advisors. Our regulatory bodies include HMRC, the Charity Commission, the Information Commissioner’s Office and the Fundraising Regulator.

What other organisations do we share your information with?

We may share your personal information with our service providers/data processors so that they can carry out work on our behalf. Whenever we engage a third party to act on our behalf we ensure that the contract we enter into with them require them to comply with UK data protection laws, to process your information only for the purposes we specify and to make sure they have the appropriate controls in place to protect the security of your information.

Examples of service providers/data processors include: –
• Recruitment agencies

• Payroll service agents

How long do we keep your information?
Subject to any other relationship you have with us, such as being a donor or volunteer, we retain personal data for as long as we require it. We keep your data for as long as necessary for the purposes set out in this Privacy Policy. The retention period will vary according to the nature of the purpose under which the information is held. For example, interview notes and CVs are kept for three years.

Your personal data

The personal data that we may collect about you, the reason why we collect it and what we do with it will depend on your relationship with us. Please see the audience-specific privacy policies below for more detail.

Your rights

You have various legal rights in relation to the information you give us, or which we collect about you, as follows: –

• The right to access your information and obtain confirmation that we are processing your personal information (see below our Subject Access Request process);
• The right to have your personal information rectified if it is incomplete or inaccurate;
• The right to have your personal information removed or deleted in certain circumstances, for example when you have withdrawn consent to it being processed and we have no other basis for processing it;
• The right to restrict the processing of your personal information in certain circumstances;
• The right to object to certain processing including the right to not be subject to automated decision-making and the right to object where we are processing your information on the basis of our legitimate interest;
• The right to require us not to send you marketing communications; and
• Where you have provided your consent to the processing, the right to withdraw consent to the processing of your data (without affecting the lawfulness of processing based on consent before its withdrawal).

Please note that not all of the above rights are absolute and requests may be refused where exceptions apply.

For a more detailed explanation of these rights, please refer to the ICO’s guidance.

Subject Access Request

You can ask us to confirm if we are keeping any personal information about you and you can also request to receive a copy of that personal information – this is called a Subject Access Request.

To make a Subject Access Request you will need to provide adequate proof of identity such as a copy of your passport, birth certificate, or driving license before your request can be processed. Please try to be as clear as possible about the information you are seeking, as this will help us respond to your request more efficiently. Once we have received your Subject Access Request and proof of identity, you will receive a response from us within a month unless circumstances permit us to extend that deadline.

If you would like to submit a Subject Access Request or exercise any of the other rights referred to above, please email us at [email protected]. You can write to us at Prostate Cancer Research, Suite 2, 23-24 Great James Street, London, WC1N 3ES. You can also telephone us on 0203 735 5444. More information on how to submit a Subject Access Request is available from the Information Commissioner’s Office here.

If you are not happy with how we handle any of your requests, queries, or concerns, you can contact the Information Commissioner’s Office, who oversees the protection of personal information in the UK.

Updating your communication preferences

We will respect your email privacy. This means we carefully manage the communications we send you to ensure that we are contacting you in the most relevant way.

You will only receive communications from us that you have requested. This means you will not receive unsolicited mail from PCR unless you have agreed to receive communications from us. You can change your email preferences or subscribe at any time by: –

• clicking the “unsubscribe” link at the end of any emails you receive from us; or
• by contacting [email protected], or
• calling 0203 735 5444
• updating your contact preferences on our website.
• unsubscribe by replying to the sender directly.

We may embed links in our communications to third-party websites or pages that are not managed by PCR. If you follow any external links to other organisations or websites, please note that they will have their own privacy policies. Please check third-party policies before you submit personal information. We do not accept any responsibility or liability for third party websites or privacy policies.

How do we keep your information secure?

We take appropriate security measures to protect your data against unauthorised access, alteration, disclosure or destruction. When sharing your data with third parties, we do so securely, including taking the following safeguards: –

• PCI DSS standards. We comply with the Payment Card Industry Data Security Standards in relation to debit/credit card payments made on our website to protect financial information from theft and fraud. Your card details are not stored on PCR’s electronic systems or as hard copies.
• Methods of disposal. Paper documents are disposed of by shredding in a manner that ensures confidentiality.
• Firewalls and encryption. We use industry-standard and up-to-date firewall and encryption technology.
• Secure data transfers. When transferring your data we ensure it is protected by using a secure data transfer site.
• Restricted access. Access to personal and financial data is permitted to authorised staff only.
• Secure storage. Our data storage is assessed through a secure physical and electronic process.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of your personal information transmitted to our website and any transmission is at your own risk. Once we have received your personal information, we will use adequate procedures and security features to try to prevent unauthorised access.

Contact us

You can contact us at any time to change your communication preferences. If you have any queries about our Privacy Policy or want to raise a concern about how we process the information we hold about you, email us at [email protected], write to Prostate Cancer Research, Suite 2, 23-24 Great James Street, London WC1N 3ES, or phone 0203 735 5444.