Privacy policy

What is personal information?

Personal information

Personal information is any information that can be used to identify you. For example, it can include information such as your name, date of birth, email address, postal address, telephone number, IP address, credit/debit card details, CCTV footage, and information relating to your health and personal circumstances.

Special Category Data

Data protection law recognises that certain categories of personal information are more sensitive. These are known as 'special category data' and include information relating to health, race, ethnic origin, political opinions, religious beliefs, trade union membership, genetics, biometrics (where used for ID purposes), sex life and sexual orientation.

Criminal Offence Data

Personal data relating to criminal convictions and offences (including allegations of the same) is also subject to extra safeguards.

How do we obtain your personal information?

We may collect personal information when:

• you give it to us, or we collect it from you, directly - for example, when you sign up for one of our events or donate to us, and where you visit our websites or open our emails (with your consent where necessary: please see Cookies and similar technologies);
• you give permission to other parties to share it with us - for example, when you have told an event organiser such as the London Marathon that you would like to hear from us, or where a friend, family member or legal representative has contacted us on your behalf; or
• your information is available publicly, for example, from Companies House or the Land Registry or is available from external sources such as Experian, or, depending on your privacy settings, from social media and messaging services such as Facebook, YouTube etc.

Where we ask you to provide personal information to us on a mandatory basis, we will inform you of this at the time of collection and in the event that particular information is required by the contract or statute this will be indicated. We will also explain the consequences of any failure to provide any mandatory information: for example, failure to provide us with your contact details will mean that we cannot contact you, and failure to provide us with your payment details will mean that we cannot complete a transaction.

Apart from personal information relating to yourself, you may also provide us with the personal information of third parties, such as when you contact us on behalf of, or with your concerns about, friends and family, or send us photographs including other people. Before you provide such third party personal information to us you must make sure that these third parties are aware that you will provide such data and of how it will be used by us, as detailed in this Privacy Policy.

Your Rights

You have a number of rights in relation to your personal information. You should note that these rights are not absolute, so we do not always need to comply with your requests, but we will make sure we explain our reasons to you if this is the case.

To exercise any of your rights, please contact us.

We may ask you to provide additional information to prove your identity, for example, to provide a copy of an identification document, before we allow you to exercise a right. This is for your security: we consider that we have a legitimate interest in ensuring that we only allow the correct individuals to exercise the rights to which they are entitled. This is for your security, and aims to prevent fraudsters from accessing the information we hold about you.

We will respond to any such request within 1 month. If we refuse a request, we will explain our reasons and let you know how you can challenge our decision.

If you are unhappy with how we've dealt with your request or used your data please tell us so we can sort it out. However, if you are still unhappy you have the right to complain to the Information Commissioner’s Office (ICO). The ICO can investigate your claim and take action against anyone who has misused personal information. Please visit https://ico.org.uk/concerns or call the ICO helpline on 0303 123 1113 for further information.

Your rights – more details

Right to be informed

You have the right to be informed about the collection and use of your personal information, and we are also required to ensure that we are transparent about how we use your personal information.

This Privacy Policy explains how we process your personal information.

Right to access

You have the right to ask us to confirm whether we process any of your personal information, and to provide access to any personal information we do hold about you.

Right to correct your personal information

We aim to ensure that all personal information is correct. If any of the information that you have provided us with changes, for example if you change your email address, please do contact us so that we can keep our records up to date. We will update your records as soon as possible and in any event within one month.

You have a right to require us to correct any information about you that is inaccurate, and you may also ask us to remove information which is inaccurate or to complete information which is incomplete. We may seek to verify the accuracy of the personal information before rectifying it, and in some circumstances we will need to keep a copy of the inaccurate data (for example, if we need to keep an audit trail).

If we do update inaccurate information, we will inform relevant third parties with whom we have shared your data so they may update their own records.

Data portability

In some situations, you have a right to obtain your personal information from us in a structured, commonly used and machine-readable format and reuse it for your own purposes, perhaps for another service, without hindering the usability of the data. This includes the right to require us, where technically feasible, to pass on information we obtained from you to another data controller.

This right applies when we are relying on your consent or the fact that the processing is necessary for the performance of a contract to which you are party as the lawful ground for processing, and we are carrying out processing by automated means.

Right to erasure ('right to be forgotten')

You have the right to require us to erase your personal information in certain circumstances, for example:

• where it is no longer necessary for us to continue holding or processing your personal information for a particular purpose;
• if you withdraw your consent to certain processing (in relation to which we rely upon your consent as a lawful basis); or
• if you have objected to processing in relation to which we rely upon our legitimate interests, and we have no overriding interest or that personal information is processed for direct marketing purposes (and this includes profiling to the extent that it is related to such direct marketing).

This right is not absolute: for example, we do not have to delete your data if we need to continue processing this information to comply with our legal obligations, or for the establishment, exercise or defence of legal claims. We may also need to keep some information about you in order to, for example, comply with an instruction not to contact you again.

Right to restriction of processing

You have a right to ask us to restrict our processing of your information if:

• you contest its accuracy and we need to verify whether it is accurate;
• the processing is unlawful and you ask us to restrict use of it instead of erasing it;
• we no longer need the information for processing, but you need it to establish or defend legal claims;
• you have objected to processing of your information being necessary for the performance of a task carried out in the public interest, or for the purposes of our legitimate interests. The restriction would apply while we carry out a balancing act between your rights and our legitimate interests. If you exercise your right to restrict processing, we would still need to process your information for exercising or defending legal claims, protecting the rights of another person or for public interest reasons.

This is an alternative right to the right to be forgotten and it is not an absolute right.

Right to withdraw consent

If we rely on consent as the legal basis for processing (see How do we use your data?) you can withdraw your consent to that purpose of processing, and we will stop that particular processing.

However, we may still continue to use the same data for other purposes: for example, you withdraw your consent to receipt of direct electronic marketing from us, and also make a complaint, we may rely on our legitimate interests to process your personal information in order to investigate that complaint.

Right to object to processing

You have the right to object to: processing that is based on legitimate interests or performance of a task in the public interest (including profiling); direct marketing (including profiling for the purposes of direct marketing) and processing for the purposes of scientific, statistical or historical research.

We must comply with any request to stop processing for the purposes of direct marketing. The right to object is not absolute in relation to processing for legitimate interests and research purposes.

If you would prefer us not to profile you for the purposes of targeting or tailoring our fundraising efforts, please contact us.

Lawful basis for processing

Personal information

We and our partners collect and process your personal information for various business purposes, in accordance with applicable laws. It may occasionally be used for purposes not obvious to you where the circumstances warrant such use (e.g. in investigations).

UK data protection laws require us to have a specific lawful basis for each purpose for which we process your personal information. We explain these purposes and the corresponding lawful basis in the section on How we use your data.

We generally process your personal information on one of the following bases:

• the processing is necessary for our legitimate interests (as identified in the section on How we use your data), except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal information;
• we have obtained your consent to use your personal data for the stated purpose;
• the processing is necessary for compliance with a legal obligation. to which we are subject; or
• the processing is necessary for the performance of a contract. to which you are a party or in order to take steps at your request prior to entering into such a contract.

We may also rely on other bases (for example, where the processing is necessary in the performance of a task carried out in the public interest, or where the processing is necessary in order to protect your vital interests or those of another person) on an exceptional basis, if none of the above conditions apply.

Special Category Data

We collect special category data (usually health data) mainly so that we can give you advice, to ascertain what services are relevant to you or to provide other services and support to you. We may also collect this information in other situations, for example, when we are carrying out research we may collect this information if you have publicly posted online about your cancer treatment.

In order to process any special category data, we need to ensure that we have a particular reason to do so, in addition to the general lawful bases set out above. This reason needs to relate to one of the additional lawful bases for processing set out under UK data protection laws.

We generally process your special category data only:

• with your explicit consent; or
• where you have 'manifestly made public' this information.

However, we may also rely on other bases where neither of the above apply, including but not limited to where the processing is needed for legal claims, is necessary for substantial public interests (as set out in UK data protection law), is necessary for reasons of public interest in the area of public health, or exceptionally, where the processing is needed to protect your life or the life of another.

Criminal Offence Data

We very rarely process any Criminal Offence Data, and we only process this type of data where we have a clear legal basis to do so under UK data protection law. This is usually where the processing in question is necessary for the purposes of preventing or detecting unlawful acts.

For example, we might process such data:

• if we had a recording of a theft captured on CCTV cameras at one of our premises which we needed to share with the police; or
• to allow us to investigate, and if appropriate bring prosecutions against, persons using the Macmillan brand to carry out fraudulent fundraising supposedly on our behalf.

How we use your personal information

Index / Quick Links:

• To allow us to better understand current and potential supporters
• To contact you and to promote our cause
• To allow you to support us, and to assist our supporters
• When you purchase from us online or enter the Macmillan lotteries, raffles and prize draw
• When you attend or sign up for an event or training course
• When you seek, or we provide, our advice or support or you use our services
• Using our online resources, visiting our websites or referring to us online
• Volunteering
• If you're under 18
• Performers
• Research
• Payment processing and Gift Aid
• For our own internal purposes

To allow us to better understand current and potential supporters

Profiling

Profiling means gathering information about an individual or a group of individuals and analysing their characteristics or behaviour patterns in order to place them in a certain category or group, and/or to make predictions or assessments about their ability to perform a task, their interests or likely behaviour.

We believe that we have a legitimate interest in profiling supporters and potential supporters as explained below. Profiling allows us to understand our supporters better, so we can send you information that you are interested in and is relevant to you, and predict how you might be able to help us in the future, to make sure we don’t send marketing to vulnerable individuals, and to raise more funds, sooner, and more cost-effectively, than we otherwise would. It allows us to be more efficient with our resources, which donors consistently tell us is a priority for them, and to assess and improve our services more generally.

We also use profiling to identify which areas of the UK have a particular need for our support, and we consider that we have a legitimate interest in carrying out this analysis to help us target our support to those areas where it is most needed.

Please see the section on online advertising for information about how your personal data may be used in this context.

If you would prefer us not to use your personal data in this way, please contact our Data Protection Officer at Macmillan Cancer Support, 89 Albert Embankment, London SE1 7UQ, or by email at infogov@macmillan.org.uk

Building a profile

In order to create a profile for you, we (or our trusted service providers) may use the information which you give us and which we collect from external resources, such as Experian, including information that is publicly available about you. We may also combine your information with data already held internally by Macmillan.

This information may include:

• Information you give us/ we collect from you such as name, age, gender, address, donation history, the events, campaigns and products you have engaged with, the results of any surveys you have completed for us, your volunteering status and any previous segmentation; and
• Information from external sources such as age, property prices and average earnings where you live, your job, directorships, your financial circumstances, networks, any previous donations you have made, your philanthropic interests (trusteeships and/ or support to other charities), and your estimated wealth.

For example, if you support us, we will match your postcode using Experian's tool MOSAIC to get information about you which market segment you fall into (which includes categories such as household income band, household composition and other demographic information).

Segmentation

We use Experian for behavioural analysis on our supporters, to help us segment our supporter database (i.e. to put you into categories with other supporters with similar characteristics) and to enable us to profile other supporters, if we have a legitimate interest to do so.

We also use, and may engage independent companies to use, software tools and predictive analytics to help us analyse who is most likely to donate to us and to more accurately target our engagement with you. These tools use data we already hold on you, but may also obtain data from external sources, such as GI, YouGov or Experian, to help with this assessment.

We may also use this information to help us determine whether and in what ways you might be interested in getting involved in our other fundraising activities.

Profiling allows us to understand the background of the people who support us and use our services and helps us to:

• ensure communications are relevant and timely, and to provide an improved experience to our supporters, for example, to send information about campaigns and services in your area (with your consent, where required);
• find potential new supporters and invite them to be involved in supporting our cause;
• determine whether and in what ways you might be interested in getting involved in our other fundraising activities;
• better tailor our services to our supporters, for example by sending tailored communications which may be of interest to you, and making appropriate requests to supporters who may be able and willing to give more than they already do; and
• to exclude people who may be vulnerable from marketing, for example, people living in care homes and minors (under 18s).

High value donors

We, like many other charities, carry out research in order to engage with suitable high value donors. This helps us identify people who have an interest in our cause and could potentially make a substantial donation.

We process personal information on existing and potential high value donors to help us support more people with cancer. We can achieve this aim by increasing the number of people we engage with who have the capacity to give £10,000 or more to us in a single donation.

Researching potential high value donors enables us to focus our fundraising resources whilst ensuring that our requests for support are tailored to each individual. Our personalised approach helps us to provide the best possible donor experience that is aligned with an individual's interests and capacity to give.

If you would prefer us not to profile you as explained below, please contact our Data Protection Officer at Macmillan Cancer Support, 89 Albert Embankment, London SE1 7UQ, or by email at either PhilanthropyEnquiries@macmillan.org.uk or InfoGov@macmillan.org.uk.

Identifying potential high value donors

We identify potential high value donors by:

• Carrying out research on donors who have given £1,000 or more to us.
• Asking our existing high value donors to give again.
• Inviting potential high value donors to attend our supporter events as a way of engaging them with us. We also identify potential new donors by researching event attendees who were previously unknown to us.
• Researching people who have not given to us in the past but who we believe may have a connection to our cause and have the capacity to give at a high level.
• Asking our donors and influencers to open up their networks to us.
• Asking our donors and influencers to introduce us to potential donors we have identified through our research and that they have a link to.

Our initial research is undocumented and involves some basic checks looking at publicly available information, e.g. using Google, a public LinkedIn profile and Zoopla.

We do not process cancer (or other special category) data at this stage, unless the individual in question has manifestly put it in the public domain (e.g. have themselves given interviews to media outlets or published articles/ public blog posts revealing this information). Fundraising teams do not have access to any information given to a Macmillan health care professional about a cancer experience and we never use this information in any research into potential high value donors.

Creating Research Profiles

If our initial research is promising, or if someone has donated £10,000 or more to us, we will create a research profile of the individual using information sources such as BoardEx, Companies House, Who's Who, The Charity Commission, JustGiving and Twitter.

We also use these information sources to identify potential new donors who have previously given at a high level and may have an interest in our cause (e.g. we would search for someone who would be a good fit at a 'Women of Influence' event being hosted in Scotland). If we discover that someone in our network knows a potential donor that we have identified, we might ask them to facilitate an introduction.

We sometimes ask existing supporters whether they would be prepared to open their networks up to us. An existing supporter may tell us about an individual previously unknown to us and facilitate an introduction. In this scenario we would advise our existing supporter about our data responsibilities and ask them to ensure that the individual in question is happy for an introduction to take place. Following the introduction, we would direct the individual to this privacy policy and ask them to confirm how they would like to hear from us.

In the two scenarios above, we may create a research profile on someone who we have never had any contact with before. In this case, we plan to make contact within 30 days to tell the person about this privacy policy. If we attempt to make contact but are unable to do so, we will try again within the next 30 days and delete the research profile if we are still unsuccessful.

After we've created a research profile, we score potential donors under each of the following headings:

• Ability
• Interest
• Linkage

These scores are an estimation of an individual's capacity to give to us, their interest in giving to us and any links they have to our cause. This helps us to prioritise our resources and develop more relevant funding proposals as we seek to generate support for people with cancer.

Lawful grounds for processing

We rely on legitimate interests as our lawful basis for identifying, researching, and otherwise processing the personal data of our potential high value donors as set out above.

It is important for us to know about our donors' experience of cancer, as we know that 75% of our donors have had an experience of cancer and that this has a significant impact on their interest in supporting our work. This is classed as sensitive or ‘special category’ data: so, if we come across details of a potential donor's cancer experience we will only record this if the individual has manifestly made it public. If an individual tells us directly about their experience of cancer, or shares any other special category data with us, we would only capture this data if we have their consent to do so.

Our Philanthropy and Supporter Events team foster long term relationships with our existing and potential donors. However, we are committed to only keeping data on individuals with whom we have an active relationship. We therefore remove the data captured in the ways described above if the existing or potential donor has not interacted with the Philanthropy and Supporter Events team in the previous four full calendar years.

Email tracking

When you receive an email from us, we may receive certain information about how you interact with that email.

The information we collect includes the number of times you have opened the email; if you have clicked links in the email; whether you have unsubscribed or marked the email as spam; whether the email has bounced; whether you have shared the information on social media, or forwarded it to friends.

We use this information to assess how successful our email campaigns are; to identify what you are interested in and target further marketing campaigns more accurately; to reduce the frequency with which we contact you if appropriate; and to remove you from our mailing lists where you have asked to unsubscribe.

We use an email service provider called 'Dotmailer' to do this.

Lawful basis for processing: We consider that we have a legitimate interest in carrying out email engagement tracking as this ensures you do not receive irrelevant or unwanted emails, as well as allowing us to use our resources and fundraise efficiently.

To contact you and to promote our cause

Direct marketing

From time to time we may send you communications about our work and how you can help us, for example, information about our campaigns, volunteering, fundraising activities and how you can donate to us. We may also get in touch to tell you about services available in your area. Occasionally, we may include information from partner organisations or organisations who support us in these communications.

• We will only send you marketing information electronically (e.g. by email or text/SMS) if you have specifically agreed to us doing so. We rely on consent for this processing, and you can withdraw your consent at any time by clicking the 'unsubscribe' link in any of our messages to you.
• We may send marketing information by post or call you for marketing purposes, unless you have previously opted out or said that you don't want to be contacted. We also use a data cleaning company (REaD Group) based in the UK to ensure that our address records are accurate and up to date, and to stop mailings to people who have died. We rely on legitimate interests for this processing, as we consider that we have a legitimate interest to promote Macmillan Cancer Support to potential and actual supporters.

You can change your marketing preferences at any time by emailing contact@macmillan.org.uk or calling us on 0300 1000 200.

If you ask us to stop sending marketing information we will update our records to stop further mailings as quickly as we can. However, you may still receive further mailings which were already in progress before you asked us to stop.

We use service providers, such as Engaging Networks and Dotmailer to send marketing emails on our behalf.

Please see the section on Profiling for further information about how we decide what marketing to send to whom.

Operational communications

From time to time we may contact you in relation to specific operational matters. For example, we may contact you about a query or complaint that you have raised, or an order you have made, or to remind you that we will call you back. Depending upon how you have contacted us, we may get in touch via phone, post, email, text message or social media.

We rely on legitimate interest to send you this type of communication, except where we are sending you text messages, in which case we obtain your consent.

We use service providers, such as Engaging Networks and Dotmailer, to send this type of email on our behalf.

Online advertising

We advertise on Facebook, Instagram, and Google as well as some other online platforms. We also place adverts on other websites.

We are careful to distinguish in our online advertising activity between promoting and supporting our fundraising events, and making information available to people living with cancer, as we manage these differently.

There are various ways that you may see our online advertising:

1. Advertising on particular types of website - for example newspapers and magazines' websites. This is 'contextual advertising' - we buy space on these websites and our adverts are shown based on other content displayed on the page: it is not targeted to particular individuals.
2. Advertising to people signed up with an online platform (such as Facebook or Google) based on what the platform knows about them, e.g. we may ask Facebook to show a particular advert to people interested in running events living around Birmingham, or men aged over 50 living in the North East of England in lower income brackets. We use this method to promote general awareness of Macmillan, fundraising and information about the support available for people living with cancer that Macmillan provides. In the latter case we do not track individual responders, we keep a tally of how many people clicked through to our information page so we understand whether our advertising is effective. We also do not target individuals based upon any special category personal data (e.g. health data) - instead we would target a segment of the population that may benefit from an increased awareness of available support or screening programmes (for example).
3. Advertising to groups of people online - as in point 2 above but instead of using data held by a relevant platform about platform users, we use data purchased from third parties including: Audience2Media, The Trade Desk, Media IQ, Acquisition London, AdYouLike, Captify, Teads ,S4M, Eyeota, Mobsta and Precision to identify relevant audiences who our adverts are then shown to. These providers have as a minimum obtained consent under the Interactive Advertising Bureau Transparency and Consent Framework for this use of their data.
4. 'Look-alike' / 'Similar' audiences: We send a list of 'hashed' email addresses to an online platform such as Facebook or Google (hashing is a security measure whereby the information is turned into a code). The online platform matches these hashed email addresses to existing users, and then creates a group of people with similar characteristics and present our advertising to them. We use this method for our fundraising campaigns only.
   
   'Custom audiences'/ 'Customer matches': We use a similar method to send information and support about our fundraising campaigns to people who have already signed up for these. We send a list of hashed email addresses of persons who have signed up to our fundraising campaigns to the online platform, and the online platform then matches these email addresses to users. For example, if you signed up to the World’s Biggest Coffee Morning event, you might see event information when you are logged in to a relevant online platform.
   
   We also use 'Saved' audiences to remember which supporters on Facebook are most likely to respond to our fundraising, campaigning and marketing requests.
   
   The hashed data that we share with Facebook and Google is deleted after a short period of time and not used for any other purpose. For more information, please review their respective privacy policies, the UK versions of which are available at https://en-gb.facebook.com/policy.php and https://policies.google.com/privacy?hl=en-UK
5. Cookie based advertising. Advertising cookies (and similar technologies such as tags) can track your activity online. We have advertising cookies on our websites and our online shop: when you visit, you will be offered the option to accept or refuse these. If you accept them, these cookies will record information about how you interact with our websites and this information will then be used to serve you with relevant adverts on other sites such as Facebook or Pinterest based on the content that you have clicked on or interacted with.
   
   If you click to accept cookies for advertising, the information stored in these cookies may also be used to: create a 'lookalike' or 'similar audience' of people with similar interests and characteristics to the group of people who clicked on the same thing; or to send a remarketing message to you about the same thing you clicked on before. This helps us to ensure that our digital advertising campaigns are as cost-effective as possible. We only use this method for our fundraising campaigns. We rely on consent for this processing.
   
   Where our webpages use 'third party' cookies, such as Facebook cookies, we may act as a 'joint controller' with those third parties. Further information about how these third parties, including Facebook Ireland, process your personal data, including how you can exercise your data subject rights in respect of such third parties, can be found in their respective privacy policies. Facebook Ireland’s privacy policy is available at https://www.facebook.com/about/privacy.

We track people's interactions with our adverts so that we know when an individual has clicked on an advert. This allows us to measure the effectiveness of our campaigns, and also in some cases (as explained above) to make sure you see more adverts which are relevant to you. We do not track the responses of individuals clicking on our adverts offering support to people living with cancer.

Save where stated above, we rely on legitimate interests for this processing as we believe that we have a legitimate interest in identifying the most appropriate target audience for our advertising content, as this helps us to fundraise and to raise awareness of cancer related issues and available support more effectively and efficiently.

We have a strict policy for approving cookies and similar technologies, and will never permit cookies that collect any special category information. We do not share special category data with external companies such as ad tech providers or media brokers for targeted digital advertising purposes.

For more information on our use of cookies please see Cookies and similar technologies and How we Use Cookies

Journalists

We keep a database of journalists, which includes contact details and employers. We also use a similar database supplied to us by a media intelligence company.

We believe the privacy impact on journalists is small and we only use this information to build relationships with journalists who can help us to promote our charitable aims.

We rely upon our legitimate interest in promoting our charitable aims for this purpose.

To allow you to support us, and to assist our supporters

Participating in a fundraising event

When you sign up to participate in one of our fundraising events, (or your team captain signs you up), we will ask you to provide certain information so that we can confirm your place, send you information about the event (and a Macmillan t-shirt if you requested one!), and claim Gift Aid (if you choose to donate in this manner). We may also ask you for health information, for example whether you have particular dietary or access requirements.

For special events, such as Macmillan dinners or balls, we will be the organiser and the controller. For some events (e.g. challenge events where you are raising sponsorship for us), we may take registrations on behalf of the organiser. When you are registering for these events, we will make it very clear who is the event organiser and if we are sharing the information you provide with the event organiser.

When you pay to enter an event, we may work with payment processors such as Worldpay who process your payment on our behalf. We never store your payment details, although we will receive certain information from the payment processors to allow us to match you to your transaction.

If a third party is organising the event, then we will share your details with that third party.

If you have chosen to donate to us through Gift Aid, your full name and home address, and details of your donation will be shared with HMRC: if you do not provide this information, your Gift Aid declaration will be invalid.

Please see the section on Payment Processing and Gift Aid for further information.

We rely on your consent to process your information to enable you to take part in the event, and to claim Gift Aid. We also rely on explicit consent where you provide us with health information, for example, to allow us to meet any special dietary or access requirements you may have.

We rely on our legitimate interest in raising funds for processing payments and for sending you information about the event.

Making a donation

When you make a donation to us, we ask you to provide certain information so that we can process your donation (including setting up a direct debit where you choose to do so), claim Gift Aid (if you choose to donate in this manner), and, if appropriate, add you to our marketing lists (please see the section on direct marketing).

We work with payment processors such as Worldpay (for one-off transactions) and CommittedGiving (for regular direct debit transactions) who process your payment on our behalf. We never store your payment details, although we will receive certain information from the payment processors to allow us to match you to your transaction.

If you have chosen to donate to us through Gift Aid, your full name and home address, and details of your donation will be shared with HMRC: if you do not provide this information, your Gift Aid declaration will be invalid.

We rely on your consent to claim Gift Aid, and on our legitimate interest in raising funds for processing payments. Please see the section on Processing Payments and Gift Aid for further information.

If you make a donation of between £1,000 - £9,999, we will provide your name to the Philanthropy team who may carry out some basic research on you from publicly available sources such as Google, Zoopla and LinkedIn, to determine if your profile is of interest for our Philanthropy programme. This research is undocumented, and it does not include searching for sensitive data or on social media platforms. We rely on our legitimate interest in identifying suitable high value donors for this processing activity.

If you make a high value donation, we will conduct additional due diligence on you, and may also profile you as part of our Philanthropy programme (unless you have let us know that you would prefer us not to do this). This applies to donors who make donations of £10,000 - £99,999, as well as for prospects who we are close to contacting for a donation within the same range. It also applies to any donor, prospect, volunteer or sponsor where there is a low-level public association with Macmillan (e.g. where their name is mentioned in our Annual Report, or where the individual is a secondary sponsor of an event). We may also refresh our due diligence for previous givers.

We conduct due diligence because we have a legal obligation to ensure that we are compliant with money laundering law. However, we carry out further due diligence to ensure that there are no reputational or ethical risks associated with the donor or the donation. We consider that we have a legitimate interest in ensuring that our charity is not associated with persons or causes which could affect our reputation or contradict our values.

When and to the extent that we process Criminal Offence Data or Special Category Data, we will usually rely on the fact that you have manifestly made your information available in the public domain, or if you have provided us with your explicit consent to process such data.

Taking campaign actions online

When you sign one of our petitions or take a Macmillan campaign e-action, we will share your message, and in some cases, your name, with the relevant government department or organisation.

We rely on your consent for this purpose.

When you are taking part in a Macmillan campaign action online, you will be given an opportunity to become a campaigner with Macmillan. If you decide to become a campaigner with Macmillan, your information will be added to our database in Engaging Networks and used as the basis for sending targeted marketing (please see Becoming a campaigner below).

Becoming a campaigner

You can sign up to be a campaigner through the Macmillan website. If you sign up to be a campaigner, we will add you to our database of campaigners on the Engaging Network platform and you will be sent information and opportunities to get involved online and offline.

You may also receive information from our services and other ways you can help, including opportunities to donate, volunteer or fundraise (please see direct marketing). We may also send you information about other campaigns that we are involved in through a coalition or as a supportive organisation. However your details will never be shared with third parties.

We rely on your consent to process your information as a campaigner as explained above (to add you to our database in Engaging Networks and use it as the basis to send you targeted marketing).

When you purchase from us online or enter the Macmillan lotteries, raffles and prize draw

Making a purchase from us online

When you make a purchase from us via our online shop, our wholly owned company Macmillan Cancer Support Trading Limited will be the controller of your personal data. Where you make a purchase from us via a third party auction site or sales platform (such as eBay or Etsy), Macmillan Cancer Support Trading Limited will again be a controller of your personal data, but the relevant auction site or sales platform will also be a controller of such data, and you should refer to their privacy policies for information about how they use your personal data.

We ask you to provide certain information so that we can process your payment and deliver your item, and also so we can provide customer service. Macmillan Cancer Support Trading Limited will also share your information with Macmillan Cancer Support, who may, where appropriate, add you to our marketing lists (please see the section on direct marketing).

You may also provide personal information directly to us when you get in touch with one of our customer helplines which help with queries about orders, refunds, complaints, etc.

If you make a donation to Macmillan Cancer Support via the online shop, then your information will be shared by Macmillan Cancer Support Trading Limited with Macmillan Cancer Support.

If you choose to make a Gift Aid donation, then we will share your Gift Aid declaration and the information it contains with HMRC.

We work with payment processors such as Worldpay who process your payment on our behalf. We never store your payment details, although we will receive certain information from the payment processors to allow us to match you to your transaction.

Please see the section on Payment Processing and Gift Aid for further information.

We will share your information with our fulfilment companies who will ensure your order is sent to you. Your information may also be shared with a third party who manages our customer support line for us, and manages returns. If you call the customer support line, they may ask you for additional information in order to assist you with your query.

We will also share information about your transaction with HMRC so that we can obtain VAT relief.

We rely on performance of a contract to process your personal information in order to fulfil your order. We consider that we have a legitimate interest in providing our customers with support, for example to let you know if your order has been delayed.

Entering the Macmillan lotteries, raffles and prize draws

When you enter a Macmillan lottery, prize draw or raffle, Macmillan’s wholly owned lottery companies Macmillan Financial Grants Lottery Ltd, Macmillan Cancer Information Lottery Ltd, Macmillan Influencing Cancer Care Lottery Ltd and Macmillan Healthcare Lottery Ltd will process your data for the purposes of administering the Macmillan lotteries, including confirming your eligibility to participate and to subscribe you to a lottery. Our lottery companies may also send you marketing communications in line with your communication preferences. Our lottery companies will also share your information with Macmillan Cancer Support, and Macmillan Cancer Support may add you to our marketing lists (please see the section on direct marketing).

When you enter a lottery or raffle, our lottery companies share data with print and production companies who print tickets, with external lottery managers who administer our lotteries and with fulfilment companies who send out prizes or complete other administrative tasks. We also work with payment processors such as Worldpay who process your payment on our behalf. We never store your payment details, although we will receive certain information from the payment processors to allow us to match you to your transaction. Please see the section on Payment Processing and Gift Aid for further information.

We have a legal obligation to check that you are old enough to play the lottery or enter a raffle, and to retain certain information relating to the lottery / raffle to satisfy our recording keeping obligations to the Gambling Commission and HMRC.

In relation to lotteries and raffles, we rely on performance of a contract to process your information and to subscribe you to the lottery/ raffle. We rely on legitimate interests to process your payment. Please see the section on Payment Processing and Gift Aid for further information.

In relation to prize draws, we rely on legitimate interests to process your information, including to enter you into the prize draw and to notify you if you have won a prize.

You may contact us about our lotteries, raffles and prize draws using our customer helpline on 0300 1000 200 from Monday to Friday, 9:00 am to 5:00 pm.

When you attend or sign up for an event or training course

When you sign up to an event or training course, we collect personal information from you in order to assess whether you are eligible for the training course, to sign you up for and to provide you with information about the course / event, to allow you to reclaim your expenses incurred in attending the course (if applicable) and to evaluate who is signing up for our courses and the impact of the courses. We may also, if appropriate, add you to our marketing lists (please see the section on direct marketing) so that we can send you information about other training courses or Macmillan initiatives in the future.

Examples of training we provide include training GPs in how best to complete forms to allow individuals with cancer to access certain benefits or treatments, or to employees of our corporate partners, such as Boots, on how to best deal with staff and customers with cancer.

If we are using an independent training provider, we will share your information with them. It will be clear when you sign up who this training provider will be. Your name will be shared with the venue to allow them to identify which visitors are part of our course.

We sometimes use third party company event registration tools (e.g. Eventbrite and CVent), and online survey tools such as SmartSurvey. Please check their privacy terms and conditions as some, such as Eventbrite, also collect certain information for their own purposes (such as their own marketing), and Macmillan does not have control over this.

We usually rely on performance of a contract to book you onto the training course and to provide you with the details that you need to prepare from the course (unless there is no contract with you in which case we rely on our legitimate interests in increasing knowledge about the services we provide, or your consent). We rely on legitimate interests to evaluate who is doing the course, and to assess the impact we are having, as it is important to us to understand how we can provide the best service possible.

We may also collect information about access and learning needs, and where training involves lunch, any dietary requirements. This may involve us collecting and processing special category data, for example, if you tell us you have an allergy, or a health condition which requires us to make special arrangements. Where we process this type of information we rely on your explicit consent.

When you seek, or we provide, our advice or support or you use our services

Applying for / receiving a grant

When you apply for a grant from us, for example, for general cancer support, academic research, attending a relevant training course, or funding a role in the cancer workforce, we collect personal information. Grants available include:

• Learning and Development Grants - available to Macmillan Professionals and teams;
• Support Grants - available to Macmillan professionals or other organisations, linked to quality improvement work of direct benefit to people living with Cancer;
• Macmillan Grants - made directly to patients with cancer to help with the additional costs of cancer;
• Indirect Grants/ Partner Grants - for example, funding for the NHS to employ medical professionals, for an organisation to cover salary costs and non-salary costs associated with funding a Macmillan intervention, welfare benefit advisors, NGOs, centres dealing with cancer related issues.

We also provide Macmillan Professional Grants to the NHS to pay for the training of specific nurses – please see Sponsoring your role for further information in this regard.

The information we collect will vary depending upon the type of grant applied for. This may be obtained directly from you (e.g. where you apply for a grant yourself), from a team member / your organisation (if the application relates to a team or organisation), or from a third party, for example if you are referred to us by a third party professional or advisory service such as Citizens Advice Bureau (who will ask for your consent before providing us with your details).

The information collected will usually include your name and contact details, and where relevant (e.g. where a grant is for a Macmillan Professional), may also include information about your role, employer, line manager (including their contact details) and time in post.

Depending upon the type of grant, we may collect information about your health (for example, details of your cancer, including a medical report from a health professional), and about your financial status. In some cases, for example, for Macmillan Grants, or for Learning & Development Grants if you have already paid for your place at a conference or on a training course and we agree to reimburse you directly, we will also collect your bank details so that we can make payment to you.

We rely upon your consent to provide us with information to enable us to assess your eligibility for a grant, including your explicit consent where we process your health data as part of this process.

If, having reviewed your application, we believe that you may be eligible for a charitable grant from another organisation, we will ask for your consent to share your information with that other charity or organisation.

If we do make a grant to you, we rely on our legitimate interest to retain your information: we need to keep records of who we make grants to as this is necessary for keeping efficient financial records.

We also rely on our legitimate interest in supporting persons affected by cancer (our core aim) to make any payment necessary.

Sponsoring your role

In addition to making grants to individuals with cancer and to Macmillan Professionals and their teams (please see Apply for / receive a grant), we make grants to health and social care organisations to fund specific roles for a period of time. These roles are known as Macmillan posts and the people who work within them become Macmillan Professionals.

If you take up a Macmillan role, we will receive information about you, including your name, contact details and information about your role (including salary) and past Macmillan Professional posts from your employer. Your employer will also provide us with the contact details of relevant line managers and nominated finance contacts.

As a Macmillan Professional, we want to work with you to make sure you have the right support to develop in your role. As such, your information will be stored on our database, and we will use your personal data to contact you, providing you with the right tools, opportunities and support to help you develop and meet the expectations required of your role. Your Macmillan locality team will be a constant source of support and guidance for you throughout your time as a Macmillan Professional and members of the team will be in regular contact with you.

We may also contact you by post or phone to tell you more about Macmillan’s wider work and how that can support you in your role, including opportunities such as learning and development offers, to take part in research and to help us improve what we offer you and what we offer people living with cancer. We may also contact you by email if you have consented to this.

Save as noted above, we rely on our legitimate interests for this processing: we believe we have a legitimate interest in supporting training and development of professionals working with people with cancer - whether that’s all or part of the time - to ensure that people with cancer are as well looked after as possible (given that our core aim is to support those affected by cancer), and also in ensuring that our funds are being used efficiently and effectively.

Using the Macmillan Support Line (MSL)

There are a number of specialist services available via the Macmillan Support Line (some of which are also available via web chat and/or social media), including: welfare rights advice; energy advice; financial guidance; cancer information nurse specialist; work support service; and Macmillan Grants.

You can call us directly, but we also receive referrals from third party organisations such as the Citizen's Advice Bureau and various charities. These third party organisations will provide us with your name, contact details and a brief overview of your situation, and will obtain your consent to share this information with us. We may inform them of the outcome of your enquiry.

When you contact the Macmillan Support Line (or, if you have been referred to us, we contact you), we will collect various personal information from you, including your name, contact details, and details of your situation, which may include financial information and also special category information such as health information. We do this primarily so that we can give you appropriate advice and support, but also so that we can create a record of your call on our system so that we can bring up your details if you contact us again. We may record your call for training and quality control purposes.

We may also, with your consent, send you information that may be of help to you, such as cancer information booklets, or to notify you of other services in your area that could help you. In order to do this, we will share your name and address with our mailing house and fulfilment provider.

We rely on our legitimate interest in supporting persons affected by cancer (our core aim) when providing advice and support, as well as when we create a record of your call, and train our staff who handle these calls.

If you provide special category data (normally health data), we will rely on your explicit consent for processing this data for the purposes set out above.

We will also ask you for your consent to share your details if we think that another organisation could help you further. For example, we have referral agreements with energy providers and banks (such as nPower (E.ON), Natwest and Lloyd’s Bank): we may, if appropriate, ask if you are happy for us to contact, that organisation and share your details with them (and so we rely on your consent / explicit consent. for this purpose). They, and other organisations such as the Citizens Advice Bureau, may also refer you to us if they feel we can provide assistance and we may inform them of the outcome of your enquiry.

You should be aware that there are certain circumstances where we cannot guarantee confidentiality, for example, where we are subject to a legal obligation under safeguarding law. Please see our safeguarding policy for further information.

Using a Macmillan Cancer Information and Support Centre

We fund other organisations such as NHS Trusts and Local Authorities to provide Macmillan Cancer and Support Centres. The staff and volunteers that work at these centres are badged as Macmillan but they are not employed by us – they are employed by the partner organisation that we grant funds to in order to deliver the service. The relevant partner organisation will be the controller of your data.

Macmillan does not receive personal information relating to people who use this service. The only information we receive is aggregated statistical information about who is using the service: we use this to help us to evaluate the types of people who are using our services and the impact we are having.

Using the Macmillan Horizon Centre (Sussex)

We run the Macmillan Horizon Centre in partnership with the Sussex Cancer Fund, and Brighton and Sussex University Hospitals NHS Trust (the 'Hospital'). Each entity is a separate ‘controller’ in relation to the personal data it processes.

When you attend the Macmillan Horizon Centre in Sussex, we (Macmillan Cancer Support) collect your contact details, as well as details of why you have visited the centre, and details of your medical history.

We use this information primarily so that we can give you appropriate advice and support, but also so that we can create a record on our system so that we can bring up your details if you visit us again.

We rely on our legitimate interest in supporting persons affected by cancer (our core aim) when providing advice and support. If you provide special category data (normally health data), we will rely on your explicit consent for processing this data for the purposes set out above.

We may also, with your consent, send you information that may be of help to you, such as cancer information booklets, or to notify you of other services in your area that could help you. In order to do this, we will share your name and address with our mailing house and fulfilment provider.

We will ask you for your consent to share your details if we think that another organisation could help you further.

We have CCTV cameras at the entrance to the centre, so you may be captured on CCTV. These cameras are provided by our CCTV supplier, AM Security Ltd. Access to these images is strictly limited, and they overwrite any images every 30 days, unless they are required to retain a copy for longer in specific circumstances, for example, following an incident at the Centre.

We rely on our legitimate interest in ensuring the safety and security of our visitors and staff, and of our assets, when processing CCTV footage. CCTV footage may be shared with law enforcement where we have a legal obligation or a legitimate interest in doing so (or, occasionally, with other individuals and authorities where we have a lawful basis for doing so).

Answering your queries and handling your complaints

When you contact us, whether by telephone, email, letter or social media, with a query or a complaint, we will collect certain personal information from you (including contact details and why you are calling).

We use this information to provide you with advice and support, to find out the answer to your query (if we don’t already know), or to investigate your complaint (as appropriate), and also to create a record on our systems so that we have this available if you contact us again, and so we can follow up in relation to any outstanding issues.

We will usually rely upon our legitimate interests for these purposes: we believe that we have a legitimate interest in advising and supporting persons affected by cancer (our core aim), including by providing information about cancer, and in ensuring that any queries and complaints are quickly and appropriately dealt with as this is important for maintaining our reputation, which is important if we are to continue supporting persons with cancer.

If you are calling us about an online purchase or regarding a purchase from one of our lottery companies, we may rely upon performance of a contract in some situations – for example, where we need to process your personal data to arrange the delivery of a product you have ordered. Please see the section on When you purchase from us online or enter the Macmillan lotteries, raffles and prize draws for further information.

Using our online resources, visiting our websites or referring to us online

General / Introduction

We have various websites and online resources, including the Macmillan Online Community and other messaging boards.

We may collect your personal information when you register to use the Macmillan Online Community, post on one of the messaging boards within the Online Community or interact with our social media, including, with your consent where appropriate, automatically via the use of cookies and similar technologies . Research companies working on our behalf may also collect information where you have publicly posted about us on social media (they do not have access to the online communities). Please see the relevant sub-section below for more detailed information.

• Please remember that when you post personal information on a discussion board on our Online Community, or other messaging boards on our websites, your information is publicly accessible. Such information can be viewed online and collected by third parties. We are not responsible for the use of information by such third parties.
• When contributing to a discussion we strongly recommend you avoid sharing any information that can be used to identify you (such as your name, age, address, name of employer). We are not responsible for the privacy of any information that you post in our Online Community or other public pages of our websites.

Using the Macmillan Online Community

When you register, we collect certain information directly from you (e.g. name, contact details, age, gender). Once you have registered and signed in, we will also see any online profile you create within our online community, including any posts you make. Our Online Community is moderated, and any personal data contained in your posts may be processed as part of the moderation process.

We rely on performance of a contract when creating your account and moderating your posts, as you must agree to the Online Community and Macmillan website terms to register with the Online Community and to post. If you choose to post any special category data (such as health data), we consider that you are manifestly making such information public.

Referring to us online / on social media

We also scan social media and the internet (either ourselves or using an independent company such as Brandwatch) for comments about us to find out what people are saying about cancer and their cancer experience and other questions of importance for us, which allows us to assess our effectiveness and to improve how we work (‘social listening’). We may use automated tools to detect such comments.

We conduct this type of research to better assess whether individuals consider that our services are relevant and effective. We find that people can be more candid on social media / online than in focus groups. We never use the results of such research to market to individuals.

We rely on our legitimate interests for this processing: we consider that we have a legitimate interest in ensuring that our services are relevant and efficient, and ultimately that the money we raise is used most effectively to support individuals affected by cancer.

Where special category data (usually health data) is concerned, we rely on the fact that this information has been manifestly made public by the individuals in question. We consider the privacy impact on individuals to be small.

Interacting with our social media

We operate various social media accounts across multiple platforms (Facebook, Twitter, Instagram etc) in order to draw attention to our various services and events. When you interact with our social media (for example, by liking or sharing our content, or by becoming a member and/ or posting on one of our groups), we may collect personal information from you including your username, as well as any posts you make on our platforms. We may also moderate (or use a third party to moderate) your posts: this will be carried out to ensure that content is in line with our relevant terms and conditions (where applicable).

We rely on our legitimate interests for this processing as we consider that we have a legitimate interest in ensuring that our services are relevant and operating efficiently. To the extent that you choose to share any special category data in a post, such as health data (for example, if you are sharing your cancer experience), we rely on the fact that you have manifestly made public this information. When you message us privately we collect an explicit consent for our processing of special categories of data and provide you with a link to our privacy platform.

Where you post personal information on our page or on a one of our public groups, your information is publicly accessible. Such information can be viewed online and collected by third parties. We are not responsible for the use of information by such third parties. When contributing to a discussion we therefore strongly recommend you avoid sharing any information that can be used to identify you (such as your name, age, address, name of employer).

Please note that the relevant platform will also act as a controller in relation to information you post on Facebook: please see their privacy policy for information about their use of your personal information. For example, Facebook’s privacy policy is available at https://en-gb.facebook.com/policy.php

Sometimes we will pay the social media platform to promote our online posts further. We do this in line with our approach to Online advertising.

Donations on Social Media

Facebook and other social media platforms offer their subscribers the opportunity to donate to charity. If you create a fundraiser for Macmillan and your profile is public, we may use this information in order to suggest ways to contact us about your fundraising and (where privacy settings allow) post a public a thank you message. If you make a public donation through a social media platform, we may collect this information, upon request from the fundraiser, in order to send you a thank you message.

We consider that we have a legitimate interest in processing your donation, in contacting you about your fundraising, and in thanking you for any donation that you may make.

Cookies and similar technologies

Macmillan Cancer Support uses cookies (and similar technologies such as tags) on our website to make the website work, give you a more personalised web service, to target our advertising and to analyse the effectiveness of our content (for example, to establish how many people saw or liked certain content) (please see the section on Online Advertising for further information).

When you first visit our website, we will ask for consent to set any cookies (and to process any personal data collected by these cookies) which are not strictly necessary to make our pages work: you will be able to set your preferences at this stage. Where cookies are strictly necessary, we consider that we have a legitimate interest in processing the personal data they collect, as having a working website is vital to our work supporting people living with cancer.

You can always withdraw your consent by clearing cookies from the cache in your computer and rejecting them next time you visit our site.

We may also use similar technologies to identify when our emails are opened. This allows us to identify whether our marketing campaigns are effective and we consider that we have a legitimate interest in doing so.

For more information about our use of cookies and tags, different types of cookies, the information they collect and further information about how you can control the types of cookies that are placed on your browser, please see How we use Cookies.

Volunteering

Becoming a Macmillan volunteer

When you visit our Volunteering website, you can create a My Macmillan account, which will allow you to create a volunteering profile and apply for volunteering opportunities. We will need your name and email address to set up this account, and if you agree, we will add you to our marketing database so we can keep in touch. Please see the section on direct marketing for further information.

When you apply for a specific volunteering opportunity via the ‘Volunteering Village’ (through your Macmillan account or as a guest), using hard copy documents or by signing up on the day (for example for marathon cheer points) we will collect additional information about you in order to process your application and to allow us to determine whether you are suitable for the role. The information will vary depending on the role but this will always be clear from the application form. Please note that we will ask for references or conduct an ID check for most of our roles, as this helps us to confirm the identity of our volunteers and to build a better understanding of them.

For some roles, we provide specific training: we record attendance at training sessions as we need to make sure that all our volunteers have received appropriate training for any role they are undertaking. We will also record information about your performance of a given role – for example, if you are calling persons living with cancer, we need to keep records of who you have called and when – and about all volunteering roles you have undertaken in the past. Where necessary for a given role, we may also record the date on which we saw an appropriate background check certificate.

If you are eligible to reclaim expenses associated with your role from us, we will process information about any expenditure, including amount and type of expense, as well as your name and bank account details, in order to determine whether your expenses should be refunded and to make any resultant payments to you.

We consider that it is in our legitimate interests to process your personal data in connection with your volunteering journey with us as described above, as this helps us to support people living with cancer more effectively.

Supporting you as a Macmillan Committee Member

We process various personal information that you provide to us in order to support you as one of our volunteers, to support you in running an effective committee, to ensure that the activities of your committee are legally compliant and efficient, to ensure that we receive funds that people have donated and to help safeguard our assets.

You may also receive information from our services and other ways you can help, including opportunities to donate, volunteer or fundraise (please see direct marketing).

We have a legal obligation to support our volunteers, and rely on this lawful basis to the extent applicable.

To the extent that our processing goes beyond our legal obligation to support our volunteers, and in relation to other processing, we rely on our legitimate interest in achieving the purposes set out above.

Macmillan Telephone Buddies (Covid-19 Response Project)

To respond to the public health emergency related to Covid-19, we have launched a national (outbound calls only) telephone befriending service (Telephone Buddies) to deliver regular and ongoing support to people living with cancer for up to twelve weeks.

To sign up for the service, a referral form (available on our website) can be completed by people considering using our services or by a third party acting on behalf of those people. Where the form is directly completed by the person considering using our services, consent will be gained to contact them for a ‘pre-support screener’ call, to be delivered by a Macmillan staff member, and to assess their suitability for the service. When completed by a third party, the referral form will include a declaration confirming that the individual has given the third party authorisation to refer on their behalf. We will then ask the individual for their consent in our first contact call and before providing any service.

The form captures details about the individual, including cancer status, name, contact details (email and phone number) and location, as well as details of the type of person making the referral (this may be the individual themselves, their carer, a relative, a GP or other medical professional). An explicit consent will be obtained in relation to our processing of health data.

We will also capture information regarding Macmillan volunteers, which will be handled in the usual way (see Volunteering).

If you're under 18

Contacting or interacting with Macmillan

If you are interested in fundraising or volunteering for us and you are under 18, we may need to speak to a parent / guardian instead of, or before, speaking to you, and may need to record your date of birth so we know how old you are.

• 0-12 years old: If you are aged 12 or under, we will need to speak to your parent or guardian regarding your enquiry. We will not process any personal data about you. Any information provided will be recorded under the name of your parent / guardian.
• 13-15 years old: If you are between 13 and 15 years old, you must get your parent/guardian’s permission to contact us – we may need them to confirm this and that they are happy for us to speak with you about your query and to create a record on our database under your name. This record will contain information about your enquiry and may be linked to your parent/guardian’s record. We may ask for and record your date of birth so we know how old you are, and will not send you any marketing or carry out any processing that would require consent.
• 16-17 years old: If you are aged 16-17, then we may need to record your date of birth. We will not send you any marketing or carry out any processing that would require consent.

We can talk to your parents over the phone or, if written permission is required, we can send forms by mail or electronically.

Contacting us online

If you're aged 16 or under, please make sure you have your parent/guardian's permission before you provide any personal information on our websites: however you can always seek support or ask for online information.

Contacting us by phone:

All callers to our support line are asked for certain information such as their name and where possible, for anyone calling who is under 18, we would try to link to a parent’s account. However, you can choose not to give us these details and we can always provide support, direct you to online information and answer any questions you may have about cancer.

You should be aware that there are certain circumstances where we cannot guarantee confidentiality, for example, where we are subject to a legal obligation under safeguarding law. Please see our safeguarding policy for further information.

Performers

If you are a performer or a celebrity performing for Macmillan, we will process some of your personal data, including your name and contact details. Additional information collected will vary depending upon the specific arrangements with you. This information will be used to make arrangements for your performance and supporting logistics. Your performance may also be recorded where we have agreed this with you.

Our legal basis for processing your personal data will be contract performance – specifically, the performance of our contract with you (which will either be a standard release form or a contract for services).

Research

We carry out various research projects at Macmillan.

When you opt to take part in one of our research projects, or give consent for your personal data to be used in a research project, we have strict controls in place to look after your data in accordance with applicable data protection requirements.

We obtain information from a number of sources, including conversations with Macmillan Supporters or another external Macmillan audience, conversations with ‘free-found’ persons not on our supporter database, and surveys, which may be amongst Macmillan Supporters, people living with cancer, or amongst the UK population. All datasets used in our research are deleted promptly following the closure of a research project. We work with other parties to carry out our research, for example:

• Research Agencies such as OKO, Britain Thinks, Quadrangle;
• Research Panel Providers such as YouGov, ResearchNow / SSI;
• External Data Partners such as National Cancer Registries, NHS Trusts, Government Bodies and Academia; and
• Fieldwork recruiters such as Acumen, and Ardent.

Each party usually acts as a controller. Very little personal data is shared between parties: however, we may provide a recruiter with details of persons to be involved in a particular project; and a research agency may share video or audio of you with Macmillan if you have consented to this.

Anonymised raw data may be shared with us for quality assurance checks / further internal analysis, and we may also share such data with our external data partners

Every research project is different, and you will be given specific information about any project you choose to participate in.

Whether we are collecting new data, or analysing historical or public datasets, we will only carry out our research where we have an appropriate lawful basis for doing so. Generally, we consider that it is in our legitimate interests to carry out research relevant to allow us to better support persons living with cancer. Where we are processing special categories of personal data (usually health data), we will either obtain your consent, or in relation to historical data, rely on the fact that the processing is necessary for scientific research or statistical purposes (with appropriate safeguards in place).

Payment processing and Gift Aid

Payments and Donations

If you make a donation directly to Macmillan, or buy something from our online shop, we will use a third party such as Worldpay to process the payment. These payment processors will receive certain of your personal data (for example, your name, address and card details) to allow them to process your payment, and will provide us with information to allow us to match you to your transaction (which is necessary for our internal accounting, administrative and record keeping purposes). We may also share information with, or receive information from, these payment processors, as required to resolve any technical issues. We never store your payment details.

Where you donate to us via a third party platform such as JustGiving, we may receive certain information about the transaction, such as your name and the amount you have donated.

We have a legal obligation to keep records of transactions for tax purposes, and also to keep records of Gift Aid donations. We have a legitimate interest in being able to accept payments and donations, as this funding is vital to allow us to continue to support persons living with cancer, and also to keep records of donations made to allow us to identify how engaged individuals are, as this allows us to ensure that our fundraising is effective.

We use a variety of payment gateways, including Paypal, Stripe, Sagepay, Worldpay (and, via Worldpay, Samsung, Applepay and Googlepay), Datacash, Shopify and Amex. These gateways may have their own terms and conditions or privacy policies, which they will share with you at the time you make your payment.

Gift Aid

If you choose to donate to us using Gift Aid, we ask you to complete a Gift Aid declaration which includes your name, home address, and a statement that you have paid at least the donation amount in Income Tax or Capital Gains Tax in that tax year and agree to Gift Aid being claimed.

We are required by HMRC to collect the information in this form in order to allow us to reclaim Gift Aid on your donation, and are legally obliged to keep a record of all declarations for 6 years.

We rely on your consent to process these Gift Aid declarations.

For our own internal purposes

We may also use your personal information for our own internal purposes. This includes to allow us to manage our IT systems (and to test / develop new systems), for internal training (for example, call recordings might be used to train our customer services team), to deal with legal claims or other issues, for statistical analysis and research, for security and access control, and for accounting, internal recordkeeping and auditing purposes.

In general, we consider that we have a legitimate interest to ensure that our internal processes are managed efficiently, and to ensure that we have the people, skills and systems in place to allow us to support individuals affected by cancer to the best of our ability (our core aim).

We may also process your personal information where we have a legal obligation to do so, such as for VAT record keeping purposes, or where we consider we have a legitimate interest in, for example, co-operating with law enforcement, regulators or the like.

Some areas we would like to draw your attention to are:

Administering a legacy

Where the charity is potentially the beneficiary of a legacy, we will obtain the names and contact details of executors, a copy of the will, and a grant of probate. We may also obtain contact details and data, including special category data such as health data, relating to other beneficiaries and third parties in order for us to engage in relevant correspondence to secure payment of a gift.

We consider that it is in our legitimate interests to take all steps necessary to ensure the safe receipt and use of the legacy by the charity, in accordance with the donor's wishes, as this allows us to continue to support those affected by cancer.

Our Trustees have a legal obligation under the Charities Act 2011 and Trustee Act 2000 to take necessary steps to ensure full payment of legacies and to ensure all funds left to Macmillan are used to support those affected by cancer.

Fraud Detection and Investigations

We consider that we have a legitimate interest in investigating suspected or alleged frauds, both inside and outside of the organisation. To the extent that such processing involves criminal offence data, we consider that this is necessary in order for preventing or detecting unlawful acts or to comply with regulatory requirements relating to unlawful acts or dishonesty.

Examples include investigations into false fundraising events, stealing collection boxes, interfering with banking (e.g. intercepting cheques or changing bank details), and stealing Macmillan equipment. Internally, we may also investigate issues such as misuse of Macmillan credit cards, inflating business expenses, or diverting electronic payments to incorrect bank accounts.

We may report our suspicions, any allegations and/or the results of our internal investigations to the police.

Data Sharing

We will never sell your personal information.

However, to ensure that we provide you with the best service possible and that we use our resources as efficiently as possible, we make use of external expertise where appropriate. This involves us sharing your information with our trusted service providers who are authorised to act on our behalf, our trading companies, associated organisations who work on our behalf, or with whom we work with in partnership to deliver and improve services for people affected by cancer, for the purposes set out in this Privacy Policy. This includes organisations who fundraise on our behalf. Some of these organisations act as controllers (for example, banks or the Citizens Advice Bureau) and others as processors who act solely on our instructions (for example, mail service providers).

By way of example, we may:

• ask for your consent to share information in certain situations, for example, if we think that an external entity such as a bank, energy company, another charity or the Citizens' Advice Bureau may be able to assist you with an issue that you have told us about;
• share your information with payment processors, such as Worldpay, to allow you to make a donation, pay for entry to a fundraising event, or to make a purchase from the Macmillan online shop; they will then share certain information about the transaction with us to allow us to keep appropriate financial records and to match you to the transaction (so we know you have paid) – please see Processing Payments and Gift Aid for further information; and
• share your information with mail service providers and fulfilment companies to allow us to contact you and to fulfil an order you have placed with us.

From time to time, we may also need, or be required, to share your information with law enforcement, public authorities, regulators and/or our professional advisers. We will only do so where we have a clear lawful basis for doing so.

You should be aware that there are certain circumstances where we cannot guarantee confidentiality, for example, where we are subject to a legal obligation under safeguarding law. Please see our safeguarding policy for further information.

For further details about data sharing, please see How we use your data.

International Transfers

Those entities with whom we share your information may be located in the EU and elsewhere in the world including the US, India and other countries with more lenient data protection rules than those in the UK. Wherever they are located, we only work with companies we trust to keep your information safe.

We will always seek to ensure that appropriate or suitable safeguards are in place to protect your personal information and that transfer of your personal information is in compliance with applicable data protection laws. We usually rely on standard contractual clauses when transferring personal data to countries located outside of the European Union.

You can obtain further information, including a copy of the relevant data safeguard where this is documented by contacting us (please see Contact Us) although some details may be redacted for confidentiality reasons.

Data Security

Macmillan Cancer Support is committed to protecting the security of the personal information you share with us. In support of this commitment, we have implemented appropriate technical, physical and organisational measures to ensure a level of security appropriate to the risk.

For example, we use strict procedures and security features to prevent unauthorised access to your personal information.

However, although Macmillan implements security for information on our websites, please do remember that information transmission over the internet is inherently insecure, and we cannot guarantee the security of information sent over the internet.

Data Retention

We have a records retention policy which sets out how long we will keep your information for. In some cases the retention periods are governed by law, in other cases by best practice.

Most information will be kept for 3 - 10 years (usually 6 years), but the exact time frame will depend on the nature of the information. Notable exceptions are:

• Powers of attorney will be kept indefinitely in accordance with the Limitation Act 1980.
• We do not keep any card payment information.

If you would like more details about how long we keep your personal information, please contact us.