Who we are
The BAF is the leading national charity dedicated to supporting those with allergy. We provide advice and information and offer practical solutions to help manage an allergic condition. We work with government, professional bodies, healthcare professionals and corporates to achieve our vision for everyone affected by allergy to receive the best possible care and support. Please visit our About Us page to learn more about what we do.
2.2 Allergy UK is the operational name of the British Allergy Foundation, a charitable company limited by guarantee and registered in England and Wales (registered charity number 1094231 and company number 4509293), and registered in Scotland (registered charity number SC039257), whose registered office is at London House, Texcel Business Park, Thames Road, Crayford, DA1 4SL.
2.3 We also have a wholly owned subsidiary company of the British Allergy Foundation, called Allergy Research Limited (ARL) that carries out business which may be advantageous and ancillary to the charitable objects of Allergy UK and donates all profits to the British Allergy Foundation. ARL was established in 1998 and its donations support the charity in carrying out its charitable objects to support those living with allergic disease. Our subsidiary may process personal data in accordance with Allergy UK’s instructions and policies.
2.4 The charity and trading subsidiary are different entities and are administered separately. Within the context of this policy, “we”, “us”, or “our”, means both the charity and its subsidiary.
2.5 Allergy UK is registered as a data controller with the Information Commissioner’s Office (ICO) under the Data Protection Act 2018 – registration number Z5226293. Allergy UK is responsible for operating this website.
What personal information we collect and when we collect it
3.1 Personal information is information that can be used to identify a person as an individual. In the context of this policy “personal information” can be an individual’s personal data, their child’s or someone for whom they are a carer. Allergy UK may process personal data such as a first name, surname, date of birth, date of death, email address, postal address, home telephone number, mobile telephone number, gender, ethnicity, marital status, photographs or videos, social media name, bank account details, credit/debit card details, next of kin details, IP address and, where a person is a UK tax payer, details so that we can claim Gift Aid where agreed. We may also collect special categories of data, as detailed below.
We may collect personal information when a person:
- uses our Helpline telephone service.
- uses our Helpline webchat service;
- signs up to our Allergy Alerts service;
- uses our website;
- downloads a Factsheet from our website;
- orders products and services from us (such as translation cards);
- makes a donation to us;
- tells us about a fundraising event they are organising or taking part in;
- registers for a place on one of our fundraising events;
- asks about our activities or for us to send them something about our services;
- registers for one of our events;
- attends an event or exhibition not organised by us and agrees with the organisers that they can supply us with their personal information;
- enquires about signing up for one of our product endorsement schemes;
- becomes a corporate partner;
- registers as a catering venue for our food safety scheme;
- registers as a school for our schools’ information projects;
- signs up to receive our newsletter;
- signs up to receive our publications;
- enters a prize draw or competition on our website or social media channels;
- fills out a survey or questionnaire;
- asks for press statements or requests a media spokesperson;
- uses one of our social media channels such as Facebook, Twitter, LinkedIn and YouTube and asks us a question, requests something from us, or sends us a direct message;
- supplies personal details to be in the public domain or via a publicly accessible source, such as the website of the company they work for or on LinkedIn;
- applies for a bursary;
- applies for a job with us;
- becomes a supplier;
- volunteers for us;
- or otherwise provides us with their personal information through other means.
3.2 The following list identifies the kind of data that that we will process, and which falls within the scope of “special categories” of more sensitive personal information:
There may be specific equality laws or other legitimate purposes which require us to hold on file categories of information which relate to equality data. This data will be kept on file with the consent of each individual and used solely for the purposes of statistical data required for monitoring equality of opportunity and treatment across all employees and/or volunteers. For example, age, disability, gender, gender reassignment, race, religion or belief, and sexual orientation to encourage compliance with the Human Rights Act.
If a person tells us about a health/medical condition or experiences and symptoms of allergy when using services or takes part in an event we will make it clear to them, at that time, what information we are collecting and how we will use the data.
Genetics, Race and Ethnic Origin Data
We participate in research activities that are associated with understanding allergic disease. Allergy UK may be the lead for a research project, or we might partner with other associated organisations. Research evidence has shown that genetics, race and ethnic origin can be factors involved in allergy. We would only use identifiable personal data where explicit consent has been provided in advance. Anonymised data might be used. When collecting information specifically in respect of a particular research project we will make it clear why we are collecting data and how the data will be used.
If a person uses their credit or debit card to donate to us, buy something or pay online or over the phone, we will ensure that this is done securely and in accordance with the Payment Card Industry Data Security Standard (PCI DSS). We do not store credit or debit card details following the completion of a financial transaction. All card details and validation codes are securely destroyed once the payment or donation has been processed. Only those staff authorised to process payments will be able to see card details.
Why we collect and how we use personal information
4.1 We may collect personal information for a number of reasons, such as:
- to provide a person with appropriate clinical advice when they get in touch with us, where appropriate, throughout the lifetime of their medical condition(s) and their ongoing contact with us;
- to protect their vital interests, in the case of life or death situations;
- to comply with legislation and regulations;
- to enter into a contract with them or take steps to enter into a contract with them;
- to provide them with the services, products and/or information which they have signed up to or requested;
- to process any donation we may receive from them;
- to ask them to help us raise money or donate money to our charity;
- to respond to a question or enquiry;
- to register a person for a fundraising event, where we have bought a place, and to send them details about that event and how to send us the money raised and collected;
- to keep a record of a person’s own fundraising event for us;
- when a person makes use of one of our specialist clinical services;
- to invite participation in surveys and research in order to use the results for statistical analysis to help improve our services and gather statistics on areas relating to allergic disease in the UK;
- to be a case study for us, where we may also use photos or a video on our website or other channels, with consent;
- for internal record keeping, such as the management of feedback or complaints;
- to maintain a list of people who have explicitly told us that they do not want us to contact them;
- to analyse and improve the services we offer;
- or to set a person up on our systems as, for example, a bursary recipient or a volunteer.
4.2 Once collected, we may anonymise your data for activities relating to our legitimate interests, such as being able to collate statistical data to inform our services, survey data or research.
4.3 We aim to ensure that all information we hold about a person is accurate and kept up-to-date. If any of the information we hold about a person is inaccurate and either they advise us or we become otherwise aware, we will ensure it is amended and updated as soon as possible.
4.4 We may contact a person for direct marketing purposes by post, email, home telephone, mobile telephone or text, if they have given us permission to do so. We will only contact a person for the purpose requested via the channel they request. For example, if a person only wishes to receive our newsletter, we will only send emails about this. It is each person’s choice about the type of communication and information they receive from us.
4.5 We will not use personal information for direct marketing purposes if a person has asked us not to do so. However, we will retain details on a suppression list to help ensure we do not contact them. A person may ask for any personal information about them that we hold to be deleted and destroyed at any time but, please note, in that case we will have no record of any marketing preferences. There may also be times when we cannot delete data because of other laws or regulations. We will inform a person, if possible, if data cannot be deleted.
Our legal basis for processing and storing personal data
5.1 Our legal basis for processing and storing personal data differs depending on when and why a person has provided us with their personal information. For example:
For the purposes of health care advice and to protect a person’s vital interests
- If a person supplies us with details of personal information relating to health or medical condition(s), whether over the phone on our Helpline, via our webchat service, by signing up to Allergy Alerts, or via another method, we will record and store these details for the purpose of providing health care advice. The data input is always undertaken by a health professional or by someone who is subject to an equivalent duty of confidentiality. This is to protect the person’s interests and provide them with the most appropriate clinical advice and information at all times when they make contact with us. Only individuals involved in our clinical service have access to this information.
- When a person calls our Helpline service there may be situations in which we need to record the call even if consent has not been given. This is because we provide clinical advice, through a health professional, on our Helpline. If, at a later date, our advice is questioned, a person does not follow our advice or raises a dispute or complaint, then we need to ensure that we have a record of the conversation. In those situations, we will therefore record the call for the purpose of providing the health care advice. There may also be times when either the person who calls our Helpline, or the person about whom they are calling may be in danger or we are provided with information which we believe may indicate there is a need to enact safeguarding procedures. In these circumstances, we have a legal duty of care to collect the personal data in order to protect the person’s vital interests and, if necessary, this may include passing details on to the emergency services or other relevant authorities.
- Collection of details of health and medical data which is not related to the purpose of the provision of health care advice or protecting a person’s vital interests will be on the basis of the person’s consent. Section 12 provides further details on individual rights.
- We may contact those included in our database to raise awareness of research projects which are seeking participant involvement. This activity may require some profiling to try to ensure that only people for whom it may be relevant are contacted.
6.1 For the performance of a contract or to take steps to enter into a contract
- If a person sets up a direct debit to donate money to us regularly, orders translation cards from us, is representing a company that wishes to work with us, either by signing up to one of our endorsement schemes or working with us as a partner or a supplier, or for another reason, we will collect personal information to allow us to take steps to enter into a contract.
6.2 Direct Marketing
- Consent for us to process and store personal information is separate from giving us consent for electronic direct marketing purposes, which is when a person has requested that we send by email or other electronic method, from time to time, marketing or other materials promoting our organisation and charitable aims. We always ask for separate consent for electronic direct marketing purposes to make it explicitly clear as to what a person is consenting to and how we will be using the personal information. For example, we may email you information concerning research projects which are looking for participants. This activity may require some profiling to try to ensure that only people for whom it may be relevant are contacted.
- If we have processed and stored personal data and a person has provided us with consent to contact them by opting in to receive direct marketing by email from us then, every 12-24 months, we may ask them to verify the personal information we hold about them and provide us with their consent to continue to receive direct marketing from us. We do this to ensure the personal information we hold on them and their preferences for any contact from us is as accurate and up to date as possible.
- We may also send you direct marketing information by post, using the postal address we have on record for you, unless you have opted out from receiving such information. Our legal basis for such direct marketing is that it is in our legitimate interests of raising the profile of our charity and providing information in line with our charitable aims, including events, projects and requests for donations.
Data Protection and Security
7.1 We take steps to ensure all information is safe and secure, and that all staff are aware of and comply with their responsibilities in relation to data protection legislation. A copy of our Information Security Policy can be accessed through the BAF HR department. We will ensure that:
- The Information Security policy is up to date
- All staff undergo training in data protection requirements
- Access to personal data is based on role responsibility and a ‘need to know’ basis, which is seen as good practice by the Information Commissioner’s Office (ICO). We do this to reduce the risk of inappropriate access to personal data by staff or volunteers.
- Access to our office is through use of secure keypad entry and the code is changed regularly as required.
- We have confidential waste processes in place in the form of a shredder. This improves the security of documents which may contain personal data which is no longer required.
- We have formal retention schedules in place to ensure that we only keep personal information for an appropriate length of time.
- We have security locks for our I.T. screens.
- We enforce regular password changes through our IT systems.
- We have a clear desk policy with regard to personal information – nothing containing personal information is to be left out on a desk outside office hours.
- All paper files or discs containing personal information are held in securely locked cabinets, with only the appropriate staff having access to them.
- We have an encrypted memory stick which is password protected and use this if we are required to present at external meetings/events.
7.2 Although we cannot fully guarantee the security of any information transmitted to us, we enforce strict procedures and security features to protect all information and prevent unauthorised access.
Storing information and how long we store it
8.1 We only hold personal information for appropriate lengths of time, in line with the Information Security Management Schedule ( Addendum IT1) and will contact a person for consent to continue holding or destroy the data.
8.2 We take into consideration our legal obligations, the guidance of relevant UK authorities such as the ICO, the National Health Service, Fundraising Regulator and also tax and accounting bodies, when determining how long we should retain information.
8.3 When we no longer need to retain personal information, we will ensure it is securely deleted and destroyed at the appropriate time, unless a person provides consent for us to retain it for a further period.
Our websites and cookies
9.1 Our websites use Google Analytics to track what a visitor sees on our website and which pages they visit. We use this data to determine the number of people using our site, to better understand how they find and use our web pages, and to see their journey through the websites.
9.2 Although Google Analytics records data such as geographical location, the device being used to access our website, internet browser, and operating system, it does not personally identify any person. Google Analytics also records a computer’s IP address, and although this could be used to personally identify a person, Google does not grant access to this.
Information sharing, disclosure, and third-party data controllers and data processors
10.1 We will not share a person’s information with any third party apart from trusted partners we work with to help deliver our services.
10.2 We require all our trusted partners to comply with data protection regulations and our standards and we allow them only to process information in strict compliance with our instructions. We will always make sure appropriate contracts and controls are in place and we regularly monitor all our partners to ensure their compliance.
10.3 We may disclose personal information to third parties if we are required to do so through a legal obligation, to enable us to enforce or apply our terms and conditions or rights under an agreement or to professional advisers, to protect us, for example, in the case of suspected fraud or defamation.
10.4 We may use third parties to process personal data on our behalf. Some of these third parties have servers located outside the EU, which means that when a person uses these services, data is passed between the UK and a country outside the EU. We will take steps to ensure privacy continues to be protected as per UK data protection legislation in line with the BAF Information Security Policy.
We will always seek consent to share data with any third parties for any other purposes.
Your rights as an individual
12.1 Under data protection legislation, a person has the right to:
- obtain confirmation from us about whether we are processing their personal information, how, and why;
- request that we update or amend the information we hold about them, if it is wrong;
- object to the processing of their information for direct marketing purposes or profiling;
- object to their personal information being subject to automated processing;
- request a copy of the information we hold about them;
- change their communication preferences at any time;
- ask us to remove their personal information from our records without delay;
- a right to portability of photographs and images which they provided to us, returned in a ‘machine readable’ format and, where requested, transferred directly to another data controller (free of charge);
- raise a concern or complaint with us about the way in which their information is being used.
- if dissatisfied with the outcome of any complaint we have investigated, then raise a concern or complaint about the way in which their information is being used with a data protection authority. In the UK, the data protection authority is the Information Commissioner’s Office (ICO) who can be contacted at https://ico.org.uk/.
If at any time a person contacts us regarding any of their rights above, we will respond to their enquiry as soon as possible.