Privacy policy

How do we obtain your personal information?

We collect information in the following ways (this is more fully described in What information we collect): 

• When you give it to us directly
  You may give us your information in order to sign up for one of our events, when you contact us to ask about our activities, to tell us your story, order products and services from us, seek assistance, make a donation to us, fundraise on our behalf, apply for a job or otherwise give us personal information.
  When you support us, and your information is collected or processed by an organisation (eg. a professional fundraising agency or a data processing company) working on our behalf, we will be responsible for your information. 
• When you give permission to other parties to share it with us
  Your information may be shared with us by independent event organisers, for example the London Marathon or fundraising sites like Just Giving or Virgin Money Giving. These independent third parties will only do so with your consent when you have indicated that you wish to hear from us.
  You should check their privacy policies when you provide your information to understand fully how they will process your information. We may also obtain information about you from a family member or a friend who contacts us on your behalf, or if a volunteer or fundraiser passes on your details to us. 
• When your information is available publicly or from other external sources
  We may combine information that we already have about you with information available publicly or information available from external sources, such as Experian, to gain a better understanding of you and to improve our fundraising methods, products, and services. Such information could be for example, socio-demographic and lifestyle information and information about previous donations you have made. Details of the profiling we do is set out in Building profiles and targeting communications.
  The information we get from other external sources may depend on your privacy settings or the responses you give, so you should regularly check them. For example, you may have provided permission for a company or other organisation to share your data with third parties including charities. This could be when you buy a product or service, register for an online competition or sign up with a comparison site.
  Depending on your settings or the privacy policies for social media and messaging services like Facebook, LinkedIn, WhatsApp, Instagram, YouTube, Google+ or Twitter, you might give us permission to access information from those accounts or services.
  We may also obtain information about you where it is publicly available and found in places such as Companies House, Land Registry website and information that is published in articles and newspapers.
  To understand how we use information about the communications devices you use, such as IP address (the location of the computer on the internet) and cookies, please see How we use cookies.

What information do we collect?

Personal information is any information that can be used to identify you. For example, it can include information such as your name, date of birth, email address, postal address, telephone number, IP address, credit/debit card details, CCTV footage, and information relating to your health and personal circumstances. 

Data protection law recognises that certain categories of personal information are more sensitive. These are known as 'special category data' and include information relating to health, race, ethnic origin, political opinions, religious beliefs, trade union membership, genetics, biometrics (where used for ID purposes), sex life and sexual orientation. Criminal offence data is also subject to extra safeguards. We collect special category data where there is a need to do so such as when we are giving you advice, to ascertain what services are relevant to you or to cater other services and support to you.

The kind of information we collect, why we collect it, if we share it, and the legal basis for this data collection is set out below. To learn about how long we keep your data for, see How long do we hold your information for?

When you contact Macmillan to:

• Participate in a fundraising event
• Make a donation
• Sign a petition or become an e campaigner
• Apply for a job
• Apply for a volunteering role
• Buy goods from us
• Enter the Macmillan lotteries, raffles, and prize draw
• Apply for a grant
• Sign up to attend a training course or event
• Use the online community
• Join Macmillan Minds
• Administer a legacy
• Use the Macmillan Support Line (MSL)
• Use the Macmillan Mobile Information Bus
• Use a Macmillan Cancer Information and Support Centre
• Use the Macmillan Horizon Centre in Sussex
• Use a Macmillan app (such as the Macmillan organiser app)
• Become a Member of Macmillan
• Seek advice as a Macmillan Committee Member

We also collect information on:

• Journalists
• The general public

• Participate in a fundraising event
  We will collect the following types of information: title, name, gender, address, email address, telephone number, t shirt size, DOB, bank details if there is a fee to enter the event, if relevant, health information, and tax status for gift aid. If you choose to give it to us we also collect mobile number and the name of your employer.
  We use this information to: confirm your place, to send events information, to send you a Macmillan t shirt if you requested one, to claim gift aid.
  We will share this information with: HMRC if you consent to gift aid. We work with payment processors such as Worldpay which provide card payment gateways on our behalf and provide us with information about you after you have made a payment to us.
  If a third party is organising the event, then your details will be shared with the third party. These companies are based in the European Economic Area (EEA) or where they are not based in the EEA we have put in place safeguards to ensure that your data is protected as if it were processed in the EEA. Some of the companies that provide us with software tools for analysing our fundraising are based in the US – where that is the case we rely on Privacy Shield to safeguard your data, or on EU standard model contract clauses. We use a company called Clear Heads International Ltd based in Australia to provide the Go Sober for October platform. They also use an email platform that has servers in the US - we use model contract clauses with Go Sober to ensure the protection of your personal information in this case.
  We rely on consent to process your information to enable you to take part in the event. We rely on legitimate interests for marketing to you by post or phone, and consent for other types of marketing.
• Make a donation
  We will collect the following types of information: title, name, address, consent for gift aid, bank details. If you choose to give it to us we also collect email, phone/ mobile number and your motivation for donating.
  We use this information to: process your donation, add you to our marketing lists so that we can inform you about other ways to get involved with us including other fundraising initiatives, volunteering and research opportunities, and to claim gift aid.
  We will share your information with: HMRC to claim gift aid, payment providers such as Worldpay for one off donations by payment card or CommittedGiving for regular direct debit donations. Where these companies are based in the US we use Privacy Shield or EU model clauses to ensure your data is protected.
  We rely on your consent to process your information to enable you to donate. We rely on legitimate interests for marketing to you by post or phone, and consent for other types of marketing. HMRC are legally obliged to process your name address and tax status for gift aid. For high value donations we rely on legal obligation to conduct additional due diligence on donors to ensure compliance with money laundering law and to ensure that there are no reputational or ethical risks associated with the donor or the donation.
• Sign a petition or become an e campaigner
  We will collect the following types of information: name, address, email, how you heard about the e campaigner network.
  We will use this information to: add you to our database of e-campaigners and to add you to our marketing lists so that we can inform you about other ways to get involved with us including fundraising initiatives, volunteering and research opportunities.
  If you are signing a petition we will share your message with the relevant government department or organisation. We will also share your information with companies who provide mass email services such as Engaging Networks, Dotmailer and Mailchimp.
  We rely on your consent to process your information as an e campaigner. We rely on legitimate interests for marketing to you by post or phone, and consent for other types of marketing.
• Apply for a job
  We will collect the following types of information: name, age, gender, address, email address, telephone number, eligibility to work in the UK, your CV/ work experience, emergency contact details, bank details/ National Insurance number (if you are appointed), disability/ health information, criminal convictions and/ or DBS check (if relevant/ required for the role you apply for) ethnicity, sexual orientation, how you heard about the job. For certain types of roles we may use psychometric tests.
  We will use this information to: assess if you are suitable for the role, decide if we need to make reasonable adjustments for your interview, to pay you if successful. We collect details about race/ ethnicity, religion beliefs, sexual orientation for monitoring and inclusion and to enable us to identify trends. We keep this information separate from your application.
  We will share your information with eArcu Limited who run our recruitment portal. If you log in to our recruitment portal using your Google, Facebook, Microsoft, or LinkedIn details, then those companies will have access to some details that you share in the portal. It may be unwise to link social media accounts to confidential information. We may share your contact details with a third party that provides psychometric tests if we ask you to complete a psychometric test as part of the recruitment process.
  We initially rely on your consent to process your information as a job candidate. We are legally obliged to process information about your right to work in the UK and we will take a copy of your passport as evidence of your right to work if we interview you. We are legally obliged to make reasonable adjustments for you if you have a disability. If you are working with children or vulnerable people, we may be legally obliged to carry out a DBS check. Once we have your information there are circumstances where we would rely on legitimate interests to process your data – for example if someone makes a complaint, if we are required to investigate a matter, and to run an efficient recruitment process. We rely on legitimate interests to hold your data in accordance with our retention policy (see How long do we hold your information for?).
  If you are successful in your application, our use of your data will be set out in our contract and in the Staff Handbook.
• Apply for a volunteering role
  We will collect the following types of information: name, address, telephone number, email, work history/ experience/ your CV, emergency contact details, date of birth, referees, criminal convictions and/ or DBS check if required for the role, race/ ethnicity, religious beliefs, sexual orientation, disability and health information. If you consent to allowing your story to be featured as a case study, we will also collect photos and details about your cancer experience or experience working with Macmillan.
  We will use this information to: process your application and to assess your suitability for the role. We collect details about race/ ethnicity, religion beliefs, sexual orientation for monitoring and inclusion and to enable us to identify trends. We collect information about disability/ health to enable us to make reasonable adjustments if you need them. We conduct DBS checks for roles involving close work with children or vulnerable people and in other circumstances where DBS checks are legally required.
  We will share your details with various third parties as detailed in this section. If you register on our platform Volunteering Village and keep an open profile, then you may be contacted directly by organisations who are looking for volunteers. We offer volunteering opportunities in a range of different environments – for example you may be supporting a Macmillan service in a hospital. In this case, we would share your some of your information (such as your contact details, your role, and any access requirements you may have) with the hospital for the purposes of security, health and safety, administration and to enable them to provide reasonable adjustments for you. If you are volunteering in a sensitive role – such as supporting someone in their own home, we will share some of your details (eg. your contact details) with a third party who provide us with a personal alarm system for volunteers. We do this to keep you safe.
  We initially rely on your consent to process information about you as a volunteer. We rely on legal obligation to contact DBS checks where these are required for posts working with children or vulnerable people. However, once you start volunteering with us we rely on legitimate interests to process your information – this would enable us to use your information to investigate complaints or a serious incident even if you did not consent, for example. We also need to process your information to run an efficient volunteer scheme and to evaluate your progress.
• Buy goods from us
  We will collect the following types of information: name, address, phone, mobile number, bank account details.
  We will use this information to: fulfil your order and to send you marketing communications.
  We will share your information with our fulfilment companies who will ensure your order is sent to you. We also use a third party to manage our customer support line for the shop and to manage returns. We may share your information with credit reference agencies. We will share your information with HMRC for VAT relief and potentially for gift aid. Macmillan Cancer Support Sales Limited takes orders for the Shop and will share your data with Macmillan Cancer Support. We may share some your information on an anonymised basis with market research agencies.
  We rely on the contract between us to process your information to fulfil your order. We rely on legitimate interests for marketing to you by post or phone, and consent for other types of marketing. HMRC are legally obliged to process your name, address and tax status for gift aid.
• Enter the Macmillan lotteries, raffles, and prize draw
  We will collect the following types of information: name, address, DOB, bank account details.
  We will use this information to: confirm your legal eligibility participate in a Macmillan lottery and to subscribe you to a lottery or prize draw, and to send you marketing communications.
  We and our lottery subsidiaries: 1) Macmillan Financial Grants Lottery Ltd, 2) Macmillan Cancer Information Lottery Ltd, 3) Macmillan Influencing Cancer Care Lottery Ltd, and 4) Macmillan Healthcare Lottery Ltd will process your data for the purposes of administering and marketing the Macmillan lotteries.
  We share your data with print and production companies who print tickets, with external lottery managers who administer our lotteries and with fulfilment companies.
  We rely on the contract between us to process your information and to subscribe you to the lottery. We have a legal obligation to check you are old enough to play the lottery. We rely on legitimate interests for marketing to you by post or phone, and consent for other types of marketing.
  
• Apply for a Grant
  We collect the following types of information: your contact details and financial information. Depending on the type of grant you are applying for, we may also collect details about your cancer including a medical report from your health professional, or information on your skills and experience through a CV.
  We will use this information to assess your eligibility for a Macmillan grant, be it for general cancer support, academic research or for funding a role in the cancer workforce.
  We will not generally share your information with anyone. However, if your application indicates that you may be eligible for a charitable grant from another organisation, we will ask your consent to share your information with that other charity or organisation.
  We rely on your consent to provide us with information to enable us to assess your eligibility for a grant. If we make a grant to you then we rely on our legal obligation to hold your information – we need to keep records of who we make grants to as this is necessary for keeping efficient financial records.
• Sign up to attend a training course or learning event
  We collect the following types of information: title, name, email address, address, employer, job title, phone number, access and learning needs. If the training includes lunch, we may ask about your dietary requirements.
  We will use this information to assess whether you are eligible for the training course and to evaluate who is signing up for our courses. We will also keep your details to inform you of other training courses or Macmillan initiatives in the future.
  We will share your information with the training provider (if not us). We will share your name with the venue. We sometimes use third party companies providing registration tools such as Eventbrite and CVent and with companies providing online survey tools such as Survey Monkey. If you give your information to Eventbrite then you should check their privacy terms as they collect information for their own purposes and Macmillan does not have control over this.
  We rely on consent to book you onto the training course and to provide you with the details that you need to prepare for the course. We rely on legitimate interests to send you marketing about other courses and other Macmillan initiatives that may be of interest to you. We rely on legitimate interests to evaluate who is doing our courses and the impact that we are having.
• Use the online community
  We collect the following types of information: title, name, email address when you register, age, gender, any online profile you create including information in your URL.
  We will use this information to create an account for you and to be able to identify you if there is a problem with your account, if you have a query, or if we need to enforce our website terms.
  We will share information with companies who provide us with an out of hours moderation service. We also share your URL and any information it contains (e.g. your name) with Google Analytics for statistical purposes. It will be saved in Google Analytics servers in a secure closed system. No use will be made of this data apart from statistical analysis.
  We rely on your consent to provide us with information to create an account, and also on contract as you must comply with the community and Macmillan website terms to register with the online community and to post. We will rely on the terms of our website if you do something that violates our terms. This could include banning you from the online community.
  
• Join Macmillan Minds
  We collect the following types of information: when you register we collect your name, email address, postal address, gender, date of birth, income, the number of adults and dependent children in your household and your donation history (including at other charities). Once you have signed up we will send you surveys, polls and give you access to discussion forums, where you can choose to share your opinions on anything to do with Macmillan.
  We will use this information to assess how effective our fundraising is and to adjust it accordingly.
  We share your information with Toluna UK Ltd who supply and host this data. This data may be transferred to the USA but we have robust security systems in place, including both EU model clauses and Toluna USA, INC being signed up to the EU-US Privacy Shield.
  We rely on your consent when you provide us with your information both initially when you sign up and later when you volunteer your opinions on our surveys, polls and discussion forums.
• Administer a legacy
  We will collect and record the following types of information: names and contact details of executors, a copy of the will and grant of probate. Depending on the circumstances, we may need to collect other information relevant to the gift left to us. This may include special category data, such as health data, if we are involved in a claim in relation to the legacy, or data about life tenants, where such information has been passed to us for the purpose of administering the legacy.
  We will use this information to enable us to process the legacy left to us under the will.
  Depending on the circumstances we may share some data with other charities who also have an interest in a will, professional advisors, regulators and other beneficiaries or interested third parties.
  We rely on legitimate interests and our legal obligation in the course of administering legacies kindly left to us in wills and to ensure the safe receipt of the legacy to the charity in accordance with the donor's wishes.
• Use the Macmillan Support Line (MSL)
  We collect the following types of information: name, details about why you are calling us. We will also collect your address, email address, phone/mobile number.
  We will use this information to: give you appropriate advice and support, to create a record of you on our system so that we can bring up your details if you contact us again. With your consent, we may also send you information that may be of help to you, such as cancer information booklets, or notify you of other services in your area that could help you. We record calls for training and quality control purposes.
  We will not generally share your information with anyone without your consent, although if we write to you we may share your name and address with our mailing house and fulfilment company. There are limited circumstances where we cannot guarantee confidentiality, see: Working with Children and Vulnerable Adults. We will ask you for consent to share your details if we think another organisation could help you further.
  We rely on your consent to provide us with information to enable us to advise you. If we feel we need to break confidentiality, we will rely on legal obligation and safeguarding law.
• Use the Macmillan Mobile Information Bus
  We collect the following types of information: name, email address, address, phone number/ mobile, details about why you came to the bus.
  We will use this information to: give you appropriate advice and support, to create a record of you on our system so that we can bring up your details if you contact us again. With your consent, we may also send you information that may be of help to you, such as cancer information booklets, or notify you of other services in your area that could help you.
  We will not generally share your information with anyone without your consent, although if we write to you we may share your name and address with our mailing house and fulfilment company. We will ask you for consent to share your details if we think another organisation could help you further.
  We rely on your consent to provide us with information to enable us to advise you.
• Use a Macmillan Cancer Information and Support Centre
  We fund other organisations such as NHS Trusts and Local Authorities to provide Macmillan Cancer and Support Centres. The staff and volunteers that work at these centres are badged as Macmillan but they are not employed by us – they are employed by the partner organisation that we pay to deliver the service. This also means that the personally identifiable information that they collect is not provided to us.
  Macmillan does not receive personally identifiable information about who uses the service. We do receive statistical information about who is using the service to help us to evaluate the types of people who are using our services and the impact we are having.
• Use the Macmillan Horizon Centre in Sussex
  We collect the following types of information: name, address, email address, phone/mobile number, CCTV images, details about why you have visited the centre, details of your medical history.
  We will use this information to: give you appropriate advice and support, to create a record of you on our system so that we can bring up your details if you visit us again, and to maintain security on our site. With your consent, we may also send you information about services that could help you or to gather feedback on the Centre.
  We will not share your information with anyone without your consent, although if we write to you we may share your name and address with our mailing house and fulfilment company. We will ask you for consent to share your details if we think another organisation could help you further.
  Our CCTV supplier, AM Security Ltd, will overwrite any images captured on the CCTV cameras every 30 days, unless images are required to be retained for longer following an incident at the Centre. In all cases access is strictly limited.
  We rely on your consent to provide us with information to enable us to advise and support you. We rely on legitimate interests for marketing by post or telephone. We rely on legitimate interest to maintain CCTV cameras on the entrance to the Centre.
• Use a Macmillan app (such as the Macmillan organiser app)
  We collect the following types of information: IP address, numbers of people downloading the app. The app has access to your contacts and accounts to be able to function as an Organiser app.
  We will use this information to: help us understand how many people are using the app and to assess its impact.
  We have made the Macmillan Organiser app available for free to download and it is available on Google Play and Apple App Store. When you download the app Google or Apple will collect information about you as detailed in their privacy policies.
  We rely on your consent to provide us with information to enable the app to work on your device, and consent in relation to any electronic marketing.
• Become a Member of Macmillan
  We collect the following types of information: name, address, number, reason you are eligible to become a member.
  We will use this information to assess if you’re eligible to become a member and to send you notifications of AGMs and other information we are required to give to you by law.
  If required, we may share your information with regulators or our professional advisors. We will also share your information with mass email providers and mailing houses.
  We rely on legal obligation to process your information as we have certain legal duties under company law to keep a register of members and to notify members of certain events such as AGMs. We also rely on contract as Members have entered into a contract with Macmillan and our obligations are set out in our governing document as well as in company law.
• Macmillan Committee Members
  We collect the following types of information: contact details of individuals in officer positions, details of income, any other details we ask for and you provide.
  We will use this information to support you to run an effective committee, to comply with our legal duties to support volunteers, to ensure that the activities of the committee are legally compliant and efficient, to ensure that we receive funds that people have donated, to safeguard our assets.
  If required, we may share your information with regulators or our professional advisors. We will also share your information with mass email providers and mailing houses.
  We rely on legitimate interests to process your information – we need to process this information to support you to run an efficient Macmillan committee and to help safeguard our assets.
• Journalists
  We keep a database of journalists. We have our own database and we use a database supplied to us by media intelligence companies. The database includes contact details, employer, whether you've interacted with us before, and links to stories you have written. We believe the privacy impact on journalists is small and we only use this information to build relationships with journalists who can help us to promote our charitable aims.
• General Public
  From time to time we conduct research by analysing what people are saying on public social media platforms, including what people are saying about cancer and their cancer experience.
  We conduct this type of research to better assess if our services are relevant and effective to people. We find that people can be more candid on social media than in focus groups. We would never use the results of such research to market to individuals.
  We would engage an independent company to do this research and we would ask for any identifying information to be removed before the results are presented to us. We would require the third party conducting the research to not share any personally identifiable information with anyone else.
  We rely on the fact that individuals have made this information public and we consider the privacy impact on individuals to be small.
  We also scan social media for comments about us to assess our effectiveness and to improve how we work.

How long do we hold your information for?

We have a records retention policy which sets out how long we will keep your information for. In some cases the retention periods are governed by law, in other cases it is best practice. 

For fundraising and events information, we will hold onto your details as below (we set this out in the format of record type, length held and the reason):
Change of address – we will hold for 2 years – for Best Practice 
Consent to direct marketing – we will hold for 6 years – for compliance with data protection law and privacy law 
Correspondence about donations – we will hold for 6 years from the end of the fiscal year – for compliance with Companies Act / Charities Act 
Deeds of covenant (donee) – we will hold for 6 years after final payment due but up to 12 years if any payments are still outstanding or there is any dispute regarding the deed - for compliance with Tax/Limitation Act 1980 s8 
Gift aid claims - we will hold for 6 years from the end of the fiscal year in which the last payment under the declaration was made – this evidence required by HMRC inspections/ Limitations Act 1980 
Gift aid declarations - we will hold for 6 years from the end of the fiscal year in which the last payment under the declaration was made – for compliance with Finance Act 1988 Sch 18 (Declarations continue in force until revoked or cancelled) 
Image Consent forms – although image consent has no time limit, in practice we no longer use photos after 5 years. We review our photo banks every 6 months. After the photo is no longer used, we suppress it and the consent form for 2 years after the consent is no longer needed and then destroy it in accordance with Best Practice 
Legacies – we will hold for 6 years after the estate has been wound up for legal and contract reasons 
Lotteries returns – we will hold for 3 years after the draw in accordance with Best Practice 
Medical declarations – we will hold for 6 years from date of event – in accordance with Best Practice 
Parental consent forms - Based on a child's age – we will hold until they are 21 +3 years for Public Liability purposes 
Raffle tickets - we will hold for 3 years from the end of the fiscal year to comply with the Gambling Commission requirements 
Registration forms - we will hold for 6 years – for contract law purposes and Public Liability 
Requests to be removed from direct marketing lists – we will hold for 6 years to demonstrate compliance with data protection and privacy law 
Requests for information from Data Subjects – we will hold for 6 years in accordance with Best Practice 
Sponsor forms – we will hold for 6 years from end of fiscal year – to comply with Finance Act 1988 
Supporter credit card numbers - we do not retain these in accordance with Payment Card Industry Data Security Standards (Requirement 3) 
Supporter credit card verification codes (3 or 4 digit number on the front or back of the credit card) – we do not retain these in accordance with Payment Card Industry Data Security Standards (Requirement 3) 

For Recruitment and Volunteering information, we will hold onto your details as below (we set this out in the format of record type, length held and the reason): 
Bank details of future employees – we hold onto these for the duration of the time that you work with us for the purpose of paying you – to comply with the Data Protection Act 2018 
CCTV images – we hold these images for 30 days before overwriting them (or in the event of an incident, longer) – in accordance with Best Practice
Consent to process special category data – we will hold this information for as long as you work with us and for 6 years after you stop working with us to comply with the Data Protection Act 2018 
Contractor time sheets - we will hold for 3 years from the end of year in which contract terminated in accordance with Best Practice 
Contracts of employment, written particulars of employment and any changes (original) we will hold for 6 years after employment ceases - in accordance with Limitation Act 1980 s.5 
CVs – of successful applicants we will hold for 6 years after employment ceases in accordance with Best Practice 
CVs – of unsuccessful applicants we will hold for 15 months after the end of the recruitment process in accordance with Best Practice 
Equal opportunities/diversity/fair employment (NI) monitoring forms we will hold for 3 years from date of application in accordance with Best Practice 
Health assessments – we will hold for 2 years after these no longer apply in accordance with Working Time Regulations (Regs 5 & 9) 
Job applications – if successful we will hold for 6 years after employment ceases - in accordance with Best Practice 
Job applications – if unsuccessful we will hold for 1 year after notification then destroyed – to demonstrate compliance, if necessary, with the Equality Act 
Job descriptions – we will hold for 3 years after employment ceases in accordance with Best Practice 
Medical and health records of employees we will hold these for 30 years after employment ceases in accordance with Best Practice 
Qualifications evidence – we will hold for 6 years after employment ceases in accordance Limitation Act 1980 s.5 
References we will hold for 6 years after employment ceases in accordance with the Limitation Act 1980 s.5 
Time sheets we will hold for 2 years after they are created to demonstrate compliance with the Working Time Regulations 
Working time opt-out forms- we will hold for 2 years after employment ends to demonstrate compliance with the Working Time Regulations 5 & 9 
Driver declaration forms – we hold for 1 year and these are renewed annually 
Vehicle mileage records – we hold for 2 years from disposal of the vehicle in accordance with Best Practice 

For other records, we will hold onto your details as below (we set this out in the format of record type, length held and the reason): 
Complaints Correspondence - we will hold for 6 years from completion of action in accordance with Best Practice 
Entertainment register – we will hold for 10 years in accordance with Best Practice 
Fraud case files - we will hold for 6 years – to comply with the Limitation Act 1980 
Litigation files – we will hold for 10 years – as our lawyers have advised 
Powers of attorney – we will hold on to these indefinitely in accordance with the Limitation Act 1980 
Subject access requests – we will hold for 6 years after last action for contract purposes and in accordance with the Data Protection Act 2018 
Service user records we will hold for 3 years after the last action (or 7 years if there has been an accident or safeguarding issue) in accordance with Best Practice 
Call recordings - we will hold for 3 years in accordance with Best Practice 

How do we use your information?

How we use your information would largely depend on why you are providing it (see What information do we collect). As an overview, we may use your information in the ways set out below. 

• We use your personal information to give you the information, support, services, or products you ask for.
• We use your information to gain a full understanding of your situation so we can develop and offer you the best possible personalised services.
• We use your information to keep a record of your relationship with us and for internal administrative purposes (such as our accounting and records), and to let you know about changes to our services or policies. We use your personal information to look into, and respond to, complaints, legal claims or other issues.
• We use your personal information to claim Gift Aid on your donations.
• We use personal data to carry out statistical analysis and research in order to help us to understand how we are performing and how we can improve our services and meet the needs of people that require our help.
• We may also use your personal information for other purposes which we specifically notify you about and, where appropriate, obtain your consent.

Direct Marketing

• We use your information to send you communications about our work and how you can help us, for example, information about our campaigns, volunteering, fundraising activities and how you can donate to us. Occasionally, we may include information from partner organisations or organisations who support us in these communications. Our forms have clear marketing preference questions and we include information on how you can say no to such marketing.
• We rely on your consent for marketing communications by electronic means – including text, email and social media. We rely on legitimate interests for other means of marketing including post and live calls.
• You can let us know if you would prefer not to receive these communications at any time by emailing contact@macmillan.org.uk calling us on 0300 1000 200, or writing to our Data Protection Officer at InfoGov@macmillan.org.uk.
• We also use your information for profiling purposes – see Building profiles and targeting communications and in certain circumstances, we may pass your information to Facebook
Back to contents

Building profiles and targeting communications

Profiling is gathering information about an individual or a group of individuals and analysing their characteristics or behaviour patterns in order to place them in a certain category or group, and/ or to make predictions or assessments about their ability to perform a task, their interests or likely behaviour. We use several types of profiling and analysis, including: data matching, segmentation and major donor analysis. You can object to us profiling you by writing to our Data Protection Officer at Macmillan Cancer Support, 89 Albert Embankment, London SE1 7UQ, or by email at infogov@macmillan.org.uk.

We use profiling techniques to ensure communications are relevant and timely, and to provide an improved experience to our supporters. For example, we use profiling to send information about campaigns and services in your area, or to find potential new supporters and invite you to be involved in supporting our cause through tailored communications which may be of interest to you.

We do this because it allows us to understand the background of the people who support us and use our services and helps us to make appropriate requests to supporters who may be able and willing to give more than they already do or to tailor our services to better suit them. We also use profiling to exclude people who may be vulnerable from marketing, for example, people living in care homes. Profiling enables us to provide you with a service that is more relevant for you, while raising more funds, sooner, and more cost-effectively, than we otherwise would. Profiling allows us to be more efficient with our resources, which donors consistently tell us is a priority for them.

In order to create a profile for you, we (or our trusted service providers) may use the information which you give us and which we collect from external resources, including information that is publicly available about you. This sort of profiling can include us using information such as your age, property prices and average earnings where you live, your job, directorships, your financial circumstances, networks, any previous donations you have made, your philanthropic interests (trusteeships and/ or support to other charities), and your estimated wealth, to assess how likely it is that you would be interested in donating to us and the level of donation that you may be able to give. We use this information in our analysis of major donors.

Data matching

We use Experian for data matching. If you support us, we will match your postcode to Experian’s tool MOSAIC to get information about you such as household income, household composition and other demographic information. We then add this information to our record of you to tailor our marketing and services communications to you and to help us raise more funds.

Segmentation

We use Experian for behavioural analysis on our supporters, to help us segment our supporter database and to enable us to profile other supporters, if we have a legitimate interest to do so.

We also use software tools owned by other companies to help us analyse who is most likely to donate to us. We do this by using information we hold, such as your name, age, gender, address, donation history, the events and products you have engaged with, your volunteering status and any previous segmentation, and combining it with external profiling tools, to more accurately target our engagement with you.

We use a tool called FastStats by QBase for this purpose. QBase is based in the UK. We also use a tool called Raisers' Edge for the same purpose. Raiser's Edge is owned by Blackbaud, Inc. They are a US based company and are certified under the US Privacy Shield. These businesses may rely on others for further information, such as GI, YouGov or Experian.

We may also use this information to help us determine whether and in what ways you might be interested in getting involved in our other fundraising activities. You can let us know if you would prefer us not to profile you in the ways set out here by contacting our Data Protection Officer at Macmillan Cancer Support, 89 Albert Embankment, London SE1 7UQ, or by email at infogov@macmillan.org.uk

Who do we share your information with?

We will not sell your details to any third parties, but in many cases we share your information with our trusted service providers who are authorised to act on our behalf, our trading companies, and associated organisations who work on our behalf, or whom we work with in partnership to deliver and improve services for people affected by cancer. This includes organisations who fundraise on our behalf.

As part of our commitment to maintaining accurate data, we use trusted third-party service providers, such as Read Group, to ensure that we keep our record of you up to date. For example, if we have an out of date address for you, or we are unaware of a bereavement, they will let us know and we can update our records accordingly. Read Group do this by comparing the information we send them with any data they can access, such as Postal Address Files (PAF), and automatically flagging any differences to us. Generally, we only share your data with them if we plan to contact you as part of a campaign. Read Group are based in the UK and will not keep your data after this type of processing.

If you participate in our lotteries or raffles, your information will also be processed by our trading companies who administer and run these on our behalf. In addition, from time to time we may exchange your personal information with other organisations for the purposes of fraud and credit risk reduction. We may also share information with our financial and legal advisers for the purposes of obtaining advice and protecting our legal rights. We may also share your information with the emergency services if we think there is a risk of serious harm or abuse to you or someone else.

When we collect your personal information we use strict procedures and security features to prevent unauthorised access. However, no data transmission over the Internet is 100% secure. As a result, while we try to protect your personal information, Macmillan Cancer Support cannot guarantee the security of any information you transmit to us and you do so at your own risk.

Where we share your information with companies based outside the EEA we will put in place safeguards to protect your data. We contract with a number of software companies based in the US and in most cases we rely on Privacy Shield to protect your data. However, there are some occasions where we rely on EU Standard Model Clauses.

We also share some information with Facebook as described below.

Facebook

Remarketing (or retargeting)

Facebook have tags on some pages of our website which allows them to collect information about pages you’ve visited on our website, they will then serve you advertising on Facebook based on this information. Please see the Tags section in How do we use cookies? for further information.

Lookalikes

We sometimes share with Facebook the email addresses of people who have registered to take part in one of our major fundraising events, such as coffee morning, Brave the Shave and Mighty Hikes, or those who have called Macmillan in relation to fundraising for us. The emails are used by Facebook to define a type of audience with similar characteristics, and then Facebook will serve adverts to people that match that type of audience - but not (necessarily) the people in the original email file. We do this to increase registrations to our events and to raise more funds. We sometimes share this information with our media planner agencies who may also share email addresses with Facebook on our behalf.

Custom Audiences

We sometimes use Facebook Custom Audiences for operational support. For example, if you register to take part in coffee morning, we will send your email address to Facebook who will serve you content relevant to coffee morning, such as baking tips and tips on how to raise more money.

Saved Audiences

We use Facebook Saved Audiences to remember which supporters on Facebook are most likely to respond to our fundraising, campaigning and marketing requests.

How do we use cookies?

Macmillan Cancer Support uses cookies to give you a more personalised web service. To see how we use cookies, what they are, and which ones we use please go to our How we use cookies page. This page also includes instructions on how to disable cookies if you don't want them to be used.

Links

The Macmillan Cancer Support website may include links to other sites, not owned or managed by us. We cannot be held responsible for the privacy of information collected by websites not managed by us. 

Privacy and our Online Community

Our Online Community is moderated and we do not display the full names of individuals nor addresses.

When you post personal information on a discussion board on our Online Community or other messaging board on our websites, your information is publicly accessible. Such information can be viewed online and collected by third parties. We are not responsible for the use of information by such third parties. 

When contributing to a discussion we strongly recommend you avoid sharing any personal information that can be used to identify you (such as your name, age, address, name of employer). We are not responsible for the privacy of any identifiable information that you post in our Online Community or other public pages of our websites. For more information see the relevant section in What information do we collect?

If you're 16 or under

If you're aged 16 or under, you must get your parent/guardian's permission before you provide any personal information on our websites. If you're a young person living with cancer, we have a section of cancer information for teens and young adults.

Dealing with People in Vulnerable Circumstances

We are committed to protecting vulnerable supporters as well as protecting the interests of people in vulnerable circumstances when fundraising for us. Please refer to our policy, Working with children and vulnerable adults for more details.

Your rights - Accessing and updating your personal information

You can request access to any information we hold about you by contacting our Data Protection Officer at Macmillan Cancer Support, 89 Albert Embankment, London SE1 7UQ, email infogov@macmillan.org.uk. Equally, please let us know of any changes to your personal information. 

If you would prefer us not to profile you for the purposes of targeting or tailoring our fundraising efforts, let us know by emailing contact@macmillan.org.uk, calling us on 0300 1000 200, or writing to our Data Protection Officer by email at infogov@macmillan.org.uk.

If you are unhappy with how we've used your data please tell us so we sort it out. However, if you are still unhappy you have the right to complain to the ICO. The ICO can investigate your claim and take action against anyone who has misused personal data.

Further details are here:
https://ico.org.uk/concerns/
ICO helpline: 0303 123 1113.

Your rights – more details

• Right to be informed - you have the right to be informed about the collection and use of your personal data. This is a key transparency requirement under the GDPR.
• Right of access - you have a right to ask us to confirm whether we are processing information about you, and to request access to this information. You can do this by writing to our Data Protection Officer by email at infogov@macmillan.org.uk
• Right to object - you have the right to object to processing based on legitimate interests or performance of a task in the public interest/ exercise of an official authority (including profiling); direct marketing (including profiling) and processing for the purposes of scientific, statistical or historical research. We must comply with any request to stop processing for the purposes of direct marketing. The right to object is not absolute in relation to processing for legitimate interests and research purposes.
• Right to rectification - you have the right to require us to rectify information about you that is inaccurate, and you may also ask us to remove information which is inaccurate or complete information which is incomplete. If you inform us that your personal data is inaccurate, we will inform relevant third parties with whom we have shared your data so they may update their own records.
  We want to ensure that your personal information is accurate and up to date. If any of the information that you have provided us with changes, for example if you change your email address, name, payment details, please let us know: contact@macmillan.org.uk or call us on 0300 1000 200. We will update your details as soon as possible and within one month. We may refuse a request for rectification in certain circumstances, such as where we need to keep an audit trail.
• Right of portability - you have a right to obtain your personal data from us and reuse it for your own purposes, perhaps for another service, without hindering the usability of the data. This includes the right to require us to pass on information we obtained from you to another data controller. This right applies when we process your data with consent, pursuant to a contract and we are carrying out processing by automated means.
• Right to be forgotten - you have a right to seek the erasure of your data. You may wish to exercise this right for any reason, for example where it is no longer necessary for us to continue holding or processing your personal data you may withdraw your consent. This right is not absolute, as we may need to continue processing this information, for example, to comply with our legal obligations, or for reasons of public interest. We may also need to keep some information about you in order to, for example, comply with an instruction not to contact you again. We will respond to a right to be forgotten request within one month.
• Right to restriction - you have a right to ask us to restrict our processing of your information ('right to restriction') if:
  • you contest its accuracy and we need to verify whether it is accurate
  • the processing is unlawful and you ask us to restrict use of it instead of erasing it
  • we no longer need the information for processing, but you need it to establish or defend legal claims
  • you have objected to processing of your information being necessary for the performance of a task carried out in the public interest, or for the purposes of our legitimate interests. The restriction would apply while we carry out a balancing act between your rights and our legitimate interests. If you exercise your right to restrict processing, we would still need to process your information for exercising or defending legal claims, protecting the rights of another person or for public interest reasons.
  This is an alternative right to the right to be forgotten and it is not an absolute right. If we refuse a request for restriction we will explain why. We will respond to requests for restriction within one calendar month.
• Rights in relation to automated decision making, including profiling - you have the right not be subject to a decision based solely on automated processing, including profiling, where this has a legal or similar effect on you. If we carry out profiling that does not meet this definition we can continue to carry out profiling if we comply with the General Data Protection Regulation.

If we rely on consent as the legal basis for processing (as set out in What information do we collect?) you can withdraw your consent to that processing. However, we often rely on different legal bases for different aspects of processing. This means that we may not be able to act on your request if we have a compelling legal reason not to. For example, if we originally collected your data with your consent, but we later need to investigate a complaint, we may be able to rely on legitimate interests to continue processing your information.

Changes to this policy