Privacy policy

Changing Faces is committed to ensuring that your personal information is protected and to being transparent about how we use it. Read more.

We take data protection very seriously, and we will use your personal information in accordance with all the applicable laws relating to data protection, human rights and electronic communications. We will not do anything with your data that you would not reasonably expect us to.

This data protection and privacy policy sets out how we use and protect any personal information that you give us, as a client, supporter employee or volunteer, or when you use our website, our social media pages on Facebook, Twitter, LinkedIn, Tik Tok or Instagram, or communicate with us in the course of our normal activities.

Definitions

  • ‘Personal data’ means any information relating to an identified or identifiable living person (‘data subject’).
  • ‘Processing data’ means performing any operation or set of operations on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • ‘Direct marketing’ means the communication of any advertising or marketing material which is sent or transmitted to particular individuals.
  • In the context of direct marketing, ‘Administration’ means the processing of data which excludes any element of direct marketing. For example, sending a thank-you letter to acknowledge a donation.

Who we are and what we do

Changing Faces is the UK’s leading charity for everyone who has a condition, mark or scar that makes them look different.

We provide advice and support through our expert wellbeing and mental health support services and skin camouflage service in local communities across the UK. We help build people’s confidence to live their life on their terms. And we challenge prejudice, respect differences and speak to a world that needs to change.

Changing Faces is registered as a charity in England and Wales (registered charity number 1011222), and in Scotland (registered charity number SCO39725) and is the data controller for data protection purposes. You can contact Changing Faces by calling 0345 4500 275 or by emailing [email protected].

Our Data Protection Officer is Clare Miles. She may be contacted by calling 020 73919 294 or by emailing [email protected].

Data protection regulations

In carrying out our day-to-day activities we process and store personal information relating to our clients, staff, supporters and volunteers and we adhere to the requirements of the Data Protection Act 2018 (DPA) and the General Data Protection Regulation 2018 (GDPR).

We take our responsibilities under data protection legislation seriously and we ensure the personal information we obtain is held, used, transferred and otherwise processed in accordance with those regulations and all other applicable data protection laws and regulations including, but not limited to, the Privacy and Electronic Communication Regulations (PECR).

The personal information that we collect

Personal information is information that can be used to identify you. It may be electronic or on paper and includes photographs and videos.

We collect personal information about you when you:

  • Are referred or refer yourself to our services.
  • Ask about our activities.
  • Apply to us for a job or are appointed to a post.
  • Register with us, for example, signing up to receive information.
  • Make a donation to us.
  • Register for an event.
  • Engage with our social media or message boards.
  • Order products and services, such as publications and email newsletters.
  • Otherwise give us personal information or become known to us as someone who might consider connecting with Changing Faces in some way.

Personal information includes:

  • Name
  • Date of birth
  • Email address
  • Postal address
  • Bank account details
  • Job title and employer
  • Mobile and landline telephone numbers
  • Gender
  • Marital status
  • Experiences of visible difference, if you share these with us
  • The reason you give us for supporting Changing Faces

It may also include:

  • Details of any opt-in and opt-out preferences you have communicated to us.
  • Whether or not you are a UK tax-payer (so that we know whether or not we can claim Gift Aid).
  • Details of any gifts you have given to Changing Faces.
  • Details of any Changing Faces events you have participated in.
  • Notes relating to our relationship with you. Examples of this could be:
    • Correspondence between you and Changing Faces.
    • Connections between you and other individuals or organisations known to Changing Faces.
    • Data gathered through prospect research.

These lists are not comprehensive, but they are intended to give an indication of the sort of information we collect.

If you use your credit or debit card to donate to us, buy something or pay online or over the phone, we will ensure that we manage this securely and in accordance with the Payment Card Industry Data Security Standard (PCI DSS).

We do not store your financial information for longer than we need to.

Sensitive/ special category data

If you contact us in order to seek support from our services, we may collect the following additional information, defined in law as sensitive data or special category data.

Sensitive or special category data is a type of personal data, but potentially, if made available, could leave the individual it relates to vulnerable to discrimination or harassment. GDPR protects personal information as a whole, but also adds extra focus to sensitive information because of the possible impact to a person’s livelihood, quality of life, and ability to participate in daily activities.

Special category data, as defined by the GDPR, comprises:

  • Physical or mental health or condition
  • Genetics and biometrics
  • Sexual life or sexual orientation
  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership

We will only collect any such data with your explicit consent.

Criminal offence data

We will only process criminal offence data when permitted to do so by relevant law.

We may collect it as part of our staff, and in certain circumstances volunteer, recruitment activity in line with our policy on criminal records disclosure and recruitment of ex-offenders. We may process criminal offence data if required to do so, in order to safeguard vulnerable clients or other users of our services.

Non-personal data

If you read pages or download information from our website, we may gather information about this use, such as which pages are most visited and which events or activities are of most interest.

This information can be used to help us improve our website and services and ensure we provide you with the best service. The information we use for this purpose is aggregated or anonymised and will not identify you as an individual visitor to our website.

Please refer to our cookies policy for further information on this.

How we use the information we process and the legal basis for it

To provide you with mental health and wellbeing support or skin camouflage services

Lawful basis for processing – consent

  • Where you have provided information to us either requesting information or requesting that we carry out a service for you, we will proceed on the basis that you have given consent to us using the information for that purpose, based on the way that you provided the information to us.
  • When we process sensitive data for the purposes of providing mental health and wellbeing or skin camouflage services, we are compliant with GDPR Article 9 section ‘h’ regarding the use of sensitive information for preventive or occupational medicine.
  • You may withdraw consent at any time by emailing [email protected]. This will not affect the lawfulness of processing of your information prior to your withdrawal of consent being received and actioned.
  • If you have asked us not to use your information for marketing purposes, we will retain your name, home address and email address on a suppression list to ensure we do not continue to contact you.
  • You do not need to provide us with all the information that we ask to deliver our services, but if you are unwilling to do so, this may impact our ability to provide an effective service.

What we do with your data

  • We process your personal details and input them to our secure client database.
  • We send you the information you have requested or direct you to the relevant place on our website.
  • We contact you to send you an appointment date and place if requested.
  • We ensure that the staff member or volunteer who provides any service to you has your details to enable the service to be delivered.
  • We contact a health or social care professional, education professional or other professional third party involved in your care if you have given consent for us to do so.
  • We record the result of the appointment/ consultation /session/ interaction on our secure database.
  • We remain in contact for the duration of the time the service is provided to you. We may from time to time contact you about other services provided by Changing Faces that may be of interest to you.
  • We ask you to complete a post appointment questionnaire or answer feedback/ outcome questions.
  • We use your anonymised data to evaluate the reach of our service and to plan future service developments.
  • We may share some of your personal data with NHS bodies. This will not include sensitive data and will be done within a secure environment.
  • We keep your data stored on our secure database protected by a password policy. We keep your data for seven years after our final contact with you for regulatory reasons, and thereafter, your data is securely destroyed.
  • We ensure that when processing children’s data, we comply fully with the existing protection and safeguarding legislation.

To comply with our legal obligations as an employer, for employed staff and for volunteers

Lawful basis for processing – contract

  • We process staff and volunteer data, including interim, temporary and contract staff and volunteers, based on contractual relationships or volunteer agreements.
  • You are required contractually to provide us with personal information after your appointment. If you are unwilling to do so, we may need to terminate the appointment.
  • You are not required to provide us with the information we request, for example in on our application form, when applying for a job, but if you fail to do so, this may weaken your application.
  • We collect and process diversity data to allow us to comply with UK equality legislation. Staff may opt out of this monitoring.

What we do with your data

  • We process applications for jobs and voluntary roles.
  • We write to you to arrange an interview or to let you know that your application was unsuccessful.
  • We conduct interviews based on the data sent to us in your application.
  • We retain the information received from unsuccessful applicants for no more than six months.
  • We retain the information sent by successful applicants in line with legal requirements.
  • We generate additional personal data resulting from appraisals, pay reviews and other routine HR activity during the period of employment.
  • We process employees’ details through the payroll.
  • We keep some of your data stored on our secure database protected by a password policy and some in locked filing cabinets. We keep employee data for six years after an employee leaves the organisation for regulatory reasons, and thereafter, the data is securely destroyed.
  • We keep the data provided to us by unsuccessful applicants for six months and thereafter the data is securely destroyed.

To support our fundraising activity

This includes processing donations you have made to us and providing other services including sending you products or information you have requested.

Lawful basis for processing

Consent
  • Our fundraising and marketing activity is carried out on the basis of consent. We ensure that we have explicit consent for all fundraising requests, electronic marketing activity and media activity.
  • You may withdraw consent at any time by emailing [email protected]. This will not affect the lawfulness of the processing of your information prior to your withdrawal of consent being received and actioned.
  • You do not need to provide us with any personal information when making a donation. In that case, the donation will be recorded as anonymous.
  • If you make a donation to us, and provide your name and contact details, we assume that you consent to us contacting you in connection with that donation.
Contract

If you have agreed to fundraise for us in a specific context, we may process your data on the basis of a contractual relationship, if such a contract exists between us.

Legitimate interest

We create lists of supporters, contacts and guests, and we analyse our supporter data. This processing is in our legitimate interest and does not unduly impact on the data protection rights of our supporters.

For more information on how we analyse supporter data, please see the section below on fundraising research and analysis including profiling.

How we process your donation

  • Your data is processed initially by payments companies operating as data processors and where we have binding contracts and have satisfied ourselves that their data protection procedures are adequate. Donors’ personal details are passed to us by these payment gateway processors. No bank details or payment card details are passed onto us by the payment processors.
  • We receive donations through third party online donation forms, through third party fundraising websites, by bank transfers directly to our bank account, through direct debits and standing orders, as cheques in the post and as cash. In all cases we aim to record the name and details of the donor and the reason for the donation.
  • After we receive your donation into our bank account, we input your details to a secure donor database.
  • We contact you to ask for a Gift Aid declaration if we do not already have one on file.
  • We send you a thank you letter or email unless requested not to.
  • We claim Gift Aid where we have a valid donor declaration.
  • We keep your data stored on our secure database protected by a password policy. We keep your data for seven years after our final contact with you for regulatory reasons, and thereafter, your data is securely destroyed.
  • We analyse the anonymised data to help us to plan future fundraising activity and to understand the motivations of our supporters.

Technical details

The donation forms linked to from the Changing Faces website are hosted and managed by a company called iRaiser. iRaiser integrates with the following secure payment gateways to process online payments:

  • GoCardless: Direct Debits are processed through a payments company called GoCardless.
  • Stripe: One-off and regular credit/ debit card donations and mobile donations such as ApplePay are managed by a payments company called Stripe.
  • PayPal: iRaiser also integrates with PayPal to handle one-off and subscription PayPal donations.

Where third parties are used to process payments, your data is managed by these companies in line with their privacy policies. These companies all comply with PCI-DSS certification to ensure secure processing of your financial transactions.

If you are donating or participating in an event through a third-party website, such as JustGiving, that website’s privacy policy will apply. We receive your details only if you consent for these to be passed on to us and we use the data in line with your consent.

What we do with your data

  • We process any donations we may receive from you, including acknowledging and thanking, and input your details to a secure donor database.
  • We contact you to ask you to help us raise money, to donate money to us or to provide non-financial assistance (always in accordance with your marketing preferences).
  • We provide information about our work or our activities, that you have asked to receive.
  • We send you items you have requested by telephone or via our website.
  • We analyse and improve the services we offer.
  • If you are fundraising for us in a specific context:
    • We advise you on setting up a fundraising page.
    • We offer you fundraising materials to help you with your fundraising.
    • We advise you on the best ways to fundraise.
    • We make you aware of your obligations, where Changing Faces has purchased your fundraising place.
  • We may contact you about a donation you have made or an event you have expressed an interest in or registered for.
  • We may send you information about a race or other event you are a participant in.
  • If you have asked us not to use your information for marketing purposes, we will retain your name, home address and email address on a suppression list to ensure we do not continue to contact you.
  • We keep your data stored on our secure database protected by a password policy. We keep your data for seven years after our final contact with you for regulatory reasons, and thereafter, your data is securely destroyed.

For marketing purposes

Lawful basis for processing – consent

  • We ensure that we have explicit consent for all electronic marketing activity and media activity. This includes all individual stories, photo and experiences where the data can be identified to an individual. All information provided for marketing purposes is voluntarily provided.
  • You may withdraw consent at any time by emailing [email protected]. This will not affect the lawfulness of the processing of your information prior to your withdrawal of consent being received and actioned.
  • Where we pseudonymise the data that we process, and destroy the link to the original data, the processing does not fall within this privacy statement.

What we do with your data

  • If you share a personal story with us via our website or social media channels we may invite you to consent to future communications from us and to sharing your story more widely. Sometimes Changing Faces is invited by journalists to contribute to news stories relating to our cause, and in this situation, we may invite you to participate or to allow us to use your story for these purposes.
  • We may supplement or add to the information we hold about you with information that is available through, or we receive from, other sources for example public registers, or third-party information services. This allows us to send you the most relevant information and promote those fundraising opportunities that we believe you are most likely to be interested in.
  • We may contact you by mail, email, phone, text or social media direct messaging.
  • We create lists of supporters in order that we may better understand the interests of our supporter base, the reasons for that support, and how best to interact with our supporters. We may use the lists we create to select individuals to contact for fundraising or marketing campaigns. We never share or swap our lists of supporters. Please see the section below on fundraising research and analysis including profiling.

How we ask for your consent

When you make a donation on our website, we ask the following question to ensure that you consent to us using your data for marketing and fundraising purposes:

Contact by email: We’d love to stay in touch with you by email about our work, fundraising activities and ways to get involved. Yes, you may use my email address to update me.

If you tick the box to signify that you consent to email contact then your name and email address will be uploaded to a mailsite called MailChimp. MailChimp stores your details securely and we use them to send you copies of our newsletter and mailings linked to specific campaigns.

When we register you as a skin camouflage or a wellbeing client, we ask for your consent to marketing and fundraising communications using the following template:

Screenshot of a page on a database showing the fields that are completed to log someone's contact preferences

The template we use when asking for your consent to receive marketing and fundraising communications.

If you have asked us not to use your information for marketing purposes we will retain your name, home address and email address on a suppression list to ensure we do not continue to contact you.

We keep individual stories, photographs and videos, and contributors can withdraw their consent for us to use these at any time. We periodically review such data to ensure our content is relevant and up to date, and the data is securely destroyed when it is no longer being used by Changing Faces.

For fundraising research and analysis including profiling

Lawful basis for processing – legitimate interest

We create lists of supporters, contacts and guests, and we analyse our supporter data. This processing is in our legitimate interest and does not unduly impact on the data protection rights of our supporters.

What we do with your data

  • We carry out data matching on people who support us through donating, fundraising and campaigning. This means that we will combine information you have given us with information from other sources.
  • We do data matching to:
    • Build a better profile of our supporters so we can more effectively target our communications.
    • Tailor our communications to you to predict the level at which you might be able to support us in the future.
  • We do research using publicly available sources to better understand our supporters or potential supporters. We use the research to tailor and target our fundraising events and communications (including volunteering opportunities) to those most likely to be interested in them. This allows us to be more efficient and cost-effective with our resources, and also reduces the risk of someone receiving information that they might find irrelevant, intrusive or even distressing.
  • We may undertake in-house research and may engage other organisations such as Factary or Milestone Research to create a fuller understanding of your interests and your support of Changing Faces, and to help us identify people who may be able to support us with a larger gift. We use existing data you’ve given us from Changing Faces’ own database and combine this with information from publicly available sources and records such as the electoral roll, land records, ‘rich lists’, charity websites and annuals reviews and Companies House records. We may also collect information on your interests, for example board memberships, career, hobbies, or from articles about you in newspapers or magazines. We only use reputable sources, where someone would expect their information may be read by the public.
  • We create lists of supporters in order that we may better understand the interests of our supporter base, the reasons for that support, and how best to interact with our supporters. We may use the lists we create to select individuals to contact for fundraising or marketing campaigns. We never share or swap our lists of supporters.

You are free at any time to opt out from this activity. Please contact email [email protected] to opt out of this activity.

For administration purposes

Lawful basis for processing – legal and legitimate interest

  • The processing of personal data for Disclosure and Barring Service (DBS) and Protecting Vulnerable Groups (PVG) checking is done for legal reasons.
  • The processing of personal data to understand, manage and improve how Changing Faces operates its services is based on the legitimate interests of Changing Faces. Personal data is anonymised and the individual’s rights and freedoms are not affected.
  • Changing Faces has a legitimate interest in processing personal data in fraud detection and prevention.
  • We may process your data if we believe we have a legitimate interest in doing so for organisational purposes, and if the processing does not unduly affect your individual rights and freedoms.

What we do with your data

  • We manage our safeguarding responsibilities to our clients and other users of our services.
  • We manage and document serious incidents, accidents and near misses. This data is stored on a secure server with access limited by password.
  • We anonymise personal and diversity data to evaluate the reach and impact of our activities.
  • We keep records to manage feedback or surveys.
  • We document and follow up any complaints we receive.
  • We send activity invoices to NHS bodies. This may include personal data, but will not include sensitive data and will be done within a secure environment.
  • We maintain lists of contacts, guests and email contacts for fundraising and marketing purposes.
  • We may process personal data for fraud prevention.
  • We retain data relating to complaints and incidents indefinitely as part of Changing Faces’ corporate record. It is stored on secure data files and archived after five years.
  • We retain data relating to operations, including anonymised personal data, indefinitely as part of Changing Faces’ corporate record. It is stored on secure data files and archived after five years.

The accuracy of your information

Our aim is for all information that we hold about you to be accurate and, where necessary, kept up to date.

If any of the information we hold about you is inaccurate and either you advise us of this or we become aware in another way of its inaccuracy, we will ensure it is updated as soon as possible.

Information sharing and disclosure

We will not sell your information to any third party.

We may share your information with our data processors. Our data processors are organisations carrying out services for Changing Faces such as managing IT services, hosting and operating our secure database, sending out mass emails or materials and processing donations. Our relationships with our data processors are subject to contracts defining the responsibilities of the data controller and the data processor and confirming that all parties comply with relevant data protection law.

We may disclose your personal information to third parties if we are required to do so by a legal obligation, for example to the Police or a government body; or to enable us to enforce or apply our terms and conditions or rights under an agreement; or to protect us, for example, in the case of suspected fraud or defamation.

We claim part of the cost of skin camouflage treatments from NHS bodies. We raise invoices quarterly and, in some cases, we are requested to send backing data which identifies the recipients of skin camouflage consultations using NHS numbers only. The backing data is sent via a secure nhs.net email link, and no sensitive data is ever shared in this way.

We may share data relating to specific health conditions or lifestyle issues, but we will only ever do this in an anonymised, aggregated manner.

Other than this, we will not share your information with other organisations without your consent.

Many of our supporters who participate in events to raise funds for Changing Faces set up a personal page on specialist fundraising platforms (such as JustGiving or Virgin Money Giving) designed to help individuals and charities raise money and maximise the use of Gift Aid. Personal data provided by Changing Faces supporters for this purpose to JustGiving and Virgin Money Giving is passed to us. We store this information in our database and use it to communicate with our supporters about their fundraising activities.

Children’s data

We ensure that when processing children’s data we comply fully with the existing protection and safeguarding legislation. Children are able to exercise their own data rights as soon as they have capacity and understanding, which is ordinarily assumed around the age of 12.

Any child aged under 16 who would like to engage with us, and whose personal data we need for that purpose, must also have a parent or guardian’s permission to do so before giving us those details.

Vulnerable people’s data

We recognise the importance of protecting our vulnerable supporters and we follow the Code of Fundraising Practice in the UK issued by the Fundraising Regulator. We believe this facilitates the provision of high-quality supporter care, ensuring anyone donating to the charity is in a position to make a free and informed decision.

If an individual appears vulnerable, we will offer them a cooling-off period, or more time before taking a donation. If we believe the individual lacks the mental capacity to make a decision, we do not take a donation.

Storing your information

For financial and technical reasons, we may, on occasion, need to use the services of a supplier outside the European Economic Area (EEA).

Data may need to be transferred and stored outside the EEA, including in the USA where it will be held in full compliance with General Data Protection Regulation (GDPR) 2018, ensuring security of information equal to that required by the UK and throughout the EEA. We do this by ensuring that any third parties processing your data outside the EEA either benefits from an adequacy determination for GDPR purposes and/ or, where appropriate, we have entered into a data processing agreement which contains model EU data protection clauses.

Your record will be deleted if we have had no contact or interaction with you over a period of seven years, and you have opted out of communications. This retention period has been determined with consideration for our legal obligations and tax and accounting rules, and we reserve the right to change it to reflect subsequent changes in those rules and obligations.

Our website and social media

By using our website, social media pages, entering a competition or providing your information, you consent to our collection and use of the information you provide in the ways set out in this policy.

For all areas of our website which collect personal and financial information, we use a secure server. We take great care to ensure that our websites operate at the highest security levels and that our suppliers are committed to best practice in digital security. All personal information and financial data are encrypted in transmission.

However, the security of data transmission via the internet can never be 100% guaranteed, and data transmission is at your own risk.

Cookies and analytics

Cookies are small text files which are downloaded to and stored on your computer or device when you visit a website. Cookies are commonly used by website owners to provide you with a good experience while you browse and provide information which can help website owners to improve websites.

Our website uses a combination of necessary cookies, statistics cookies (including Google Analytics which helps us understand how visitors interact with our website, by collecting and reporting information anonymously), and marketing cookies.

Read our cookie policy for further information, including details of specific cookies that we use and how you can control your cookies.

Links to other websites

Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statements for other websites.

Updating our policy

This policy was last updated in January 2021. Any changes we make to our privacy notice in the future will be posted on this page and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes.

Responsibilities

All employees and volunteers who process data are responsible for complying fully with this data protection and privacy policy. We ensure that appropriate and up-to-date training and knowledge is shared across the organisation in order that we fully comply with our responsibilities to keeping your data safe and secure.

Self-employed contractors and volunteers are notified of their responsibilities when they begin delivering services to or volunteering with Changing Faces.

Your rights

You have the right to request:

  • Details of the processing activities that we carry out with your personal information through making a subject access request.
  • Rectification of information that is inaccurate or out of date.
  • Erasure of your information (known as the “right to be forgotten”).
  • Restriction of the way in which we are dealing with and using your information.
  • That your information be provided to you in a format that is secure and suitable for re-use (known as the “right to portability”).
  • Your rights in relation to automated decision making and profiling including profiling for marketing purposes.

If you would like a copy of some, or all, of your personal information, please make a request to our Data Protection Officer using the details provided below. We will provide this information to you without charge, unless requests are manifestly unfounded, repetitive or excessive, in which case we are entitled to charge a reasonable administration fee.

If you believe we are not respecting your rights, please let us know and we will do our best to remedy any failings in our approach. If you are still unhappy with our processing of your personal data, you are entitled to make a complaint to the Information Commissioner’s Office. You can find further information on their website at www.ico.org.uk or by calling them on 0303 123 1113.

Questions

If you have any questions or queries about this privacy and data protection statement, or if you would like to request a copy of the information we hold about you, please contact the Changing Faces Data Protection Officer at the address and contact details below:

  • Write to us at:

Data Protection Officer,
Changing Faces, PO Box 76751,
London
WC1A 9QR

Cookies policy

Like most websites, we use cookies to enhance your experience and improve our site. Find out how we use them and how to control cookies.

Terms of use

By using the Changing Faces website and other social media platforms, you are agreeing to our terms of use. Find out what they are on this page.