Privacy policy

Thistle Foundation (Thistle) respects and keeps safe any personal details (which are also referred to as personal data) that you share with us. This policy explains which information we may collect about you when you engage or interact with us. It explains how we store and handle your data, who we share it with and how we keep it safe, and it explains your rights in relation to your information.

About this Policy

We have tried to make this policy as clear as possible although we recognise there is a lot of information. Hopefully, we have included enough information to answer your questions, but if you have any concerns, please get in touch by emailing dataprotection@thistle.org.uk or writing to the Data Protection Officer, 13 Queen’s Walk, Edinburgh, EH16 4EA, or by telephoning 0131 661 3366.

We may make changes to this privacy policy from time to time in line with best practice or new regulations or legislation. The latest version of our policy will always be available on the Thistle website (www.thistle.org.uk) and we will notify you of any significant changes.

You can download a copy of our Privacy Policy for your records: Privacy Policy Document

About Thistle Foundation

We know that people engage with different part of our organisation, so in this document, ‘Thistle’, covers Supported Living, Thistle Services, Health and Wellbeing, our Young People’s work, Thistle Training Consultancy and Thistle Learning. The policy covers all of our activities too whether it’s the support we provide for you, the support you give to us or our corporate outreach such as fundraising and marketing.

Policy Contents

This policy includes:

  • The Legal Basis for Thistle to Collect Personal Data

  • When and Where Do We Collect Personal Data?

  • What Personal Data Do We Collect?

  • How And Why Do We Collect Your Personal Data?

  • Who Has Access to Your Personal Details?

  • How Do We Keep Your Details Safe?

  • How Long Will We Keep Your Personal Data?

  • Right of Access to Your Data

 

1. The Legal Basis For Thistle To Collect Personal Data

Under the new regulations, Thistle can collect personal data for the following reasons:

1)   If we have your consent 
For example: if you have filled in a self-referral form or signed-up for a newsletter.

2)   If we need your personal details to fulfil our legal or regulatory obligations
For example: we need your address to provide support to you at home

3)   If we’re required to by law.
For example: to prevent fraud or criminal activity

4)   If we have a legitimate interest – in some situations we may need to collect and use your personal information in a way you could reasonably expect to carry out our work and fulfil our charitable aims which does not impact on your rights, freedom or interests.

For example, we will contact you about any changes to your service, or to keep you informed of our work.

For example, if you are part of our supporter community, we may contact you about fundraising activity and appeals to ask you for financial or non-financial support.

For example, to assess and verify applications for paid or voluntary work.

For example, analysis and profiling of our supporters using personal information we already hold

For example, updating or appending your address using third party sources if you have moved house or changed your telephone number; confirming the email address you provided us is still valid

Making sure your information is up to date:

We may use information from external sources such as the Post Office’s National Change of Address Database, public electoral roll or professional database companies to ensure the details we hold are accurate. We have a legal obligation to ensure our records are up to date but also to ensure we are acting in the most cost effective and considerate way. We do this when we think you have changed address or telephone number so that we can update our records and stay in touch but also to ensure that we are not contacting anyone who may have deceased since our last communications. We may also append an (additional) address or telephone number to be able to contact you, providing you have not objected or opted out of such communications and we are acting in accordance with legitimate interest as noted above.

Where we need to process sensitive information relating to your health, we will only do so if:

  • you have given us your consent

  • it’s required by regulations/laws governing Thistle’s operations

  • it’s necessary for us to provide the appropriate support

 

2. When and Where Do We Collect Personal Data?

The type and quantity of information we collect and how we use it depends on why you are providing it. You may be a supporter of Thistle (through volunteering or donating), you may be supported by us or you may attend one of our courses or training and development sessions.

Here are some examples of when we collect personal data and where we get the information:

  • When you are referred to us by a health professional or self-refer to Thistle.

  • When you join our gym.

  • When you engage with us on social media.

  • When you visit our website – we use cookies to make our site faster and easier for you to use it. You can disable them in your settings.

  • When you sign up for an event or course.

  • When you become a volunteer.

  • When you become a donor or fundraiser.

  • When you give your information to an organisation working for us e.g. a professional fundraising agency.

  • When you contact us for assistance or to make a complaint.

  • When you ask us to send you a newsletter or to provide information about our services and support.

  • When you book an appointment with us.

  • When you attend one of our events.

  • When you fill in a form (for example relating to event or class attendance or to do with fundraising).

  • When you share your story with us – this is if you have decided to tell us about your involvement with Thistle so that we can use the information to bring to life the work we do and explain how it makes a difference.

  • When you’ve given a third party permission to share your personal information with us e.g. a fundraising site such as JustGiving (check their privacy policy when you provide your information so that you can understand how they will process your data).

With third party organisations, the information we receive may depend on your device settings or the responses you give when you make initial contact, so check the permissions you have given regularly.

We may sometimes use profiling or screening techniques to ensure communications we send to you are relevant and timely. When building a profile we may analyse geographic, demographic and other information relating to you. In doing this, we may use additional information from publicly available information about you or from organisations where you have given your consent for your details to be shared. This helps us to better understand your interests and preferences so that we can contact you with relevant information.

Our website uses a cookie for Google Analytics. It does not capture or store personal information, but merely logs users’ IP addresses which are automatically recognised by the web server. These are used to record the number of visitors to our site and volumes of usage. For more information about Google Analytics, please visit the Google Analytics website.

 

3. What Personal Data Do We Collect?

This varies according to the interaction and engagement you have with us and what we need to be able to fulfil our role.

If you are a supporter – that means if you make a donation, volunteer, register to fundraise or sign-up for an event, then we may collect the following information:

  • Name, contact details, date of birth, bank or credit card details

  • We may also ask for information relating to your health (for example, if you are taking part in a high-risk event)

  • We may ask you why you have chosen to support Thistle and whether this relates to your personal experience (we only want to know about this if you are comfortable talking about it)

If you receive support from us – if you participate in our Health & Wellbeing programme (attend courses, have gym membership, come to classes) or use our supported living services or take part in our young peoples' work – we may request/collect the following information:

  • Name and contact details, date of birth (age), gender, ethnicity

  • Emergency contact details of family members or others if appropriate

  • Person who has referred you

  • Financial details

  • Relevant health information

  • Your story

If you access one of our supported living services, you will have an individual contract that sets out exactly what information we hold and how we use it.

If you use Thistle Training and Consultancy – attended or made an enquiry about a course or training/development support – we may collect the following information:

  • Name and contact details, usually email address

Other available information

We may supplement information on our supporters with information from publicly available sources. This may include your address, telephone number, demographic profiling including wealth screening, household status or additional information on your interests, charity websites and annual reviews, corporate websites, public social media accounts, the electoral register, the Royal Mail National Change of Address Database, and Companies House. This helps us create a fuller understanding of someone’s interests which in turn means we can share information that is most relevant to you. You can opt out of this at any time, by calling, writing or emailing us on the contact information below.

 


 

4. How and Why Do We Use Your Personal Data?

We want to give you the best possible support and the best possible experience of Thistle whether you are someone who uses our services or whether you are a donor, a volunteer or fundraiser. Depending on why you’re engaging with Thistle, typically we’ll use your personal details to:

  • provide you with the support you have requested

  • communicate with you – including to respond to your questions and concerns and update you on our work. We may keep a record of these communications to improve our support.

  • improve the support we give – collecting feedback, handling complaints etc.

  • administer your donation or support your fundraising, including processing gift aid

  • process payments and protect our charity – and your account – from fraud

  • improve our website

  • learn more about you so that we can support you more effectively

  • offer opportunities for you to support our work in different ways

  • offer places on training/development courses

  • keep you up to date with developments at Thistle and consulting with you

  • keep a record of your relationship with us for improvement purposes and to meet regulatory and legal requirements

  • ensure we know how you prefer to be contacted so that we contact you in the way you choose

  • check for updated contact details against third party sources so that we can stay in touch if you move to a new house or change your telephone number

  • send you communications required by law or which are necessary to inform you about our changes to the services we provide to you

  • help build a picture of what matters to you

  • report to organisations that fund our work

  • create a general profile which helps us to target our marketing activity to people with a similar profile to you

We may also need to use your personal information for the following reasons:

  • For Thistle to meet its legal or regulatory requirements

  • To respond to requests from competent authorities

  • For financial accounting, invoicing and risk analysis purpose and to ensure we manage our operations effectively (for example for training and risk management)

  • Share with professional advisers – who also adhere to data protection guidelines – to ensure effective operations (including fundraising)

We do not sell or share personal details to third parties for the purposes of marketing. But, if you attend an event run in partnership with another named organisation, your details may need to be shared. In this situation, we will explain clearly what will happen to your data when you register.

Marketing Communication for Fundraising

We make it as easy as possible for you to tell us how you want us to communicate with you. Our forms have clear marketing preference questions and we include information on how to request no contact (Opt-Out) from us. If you don’t want to hear from us, that’s absolutely fine. Just let us know when you provide your data or any time that we contact you. Or you can contact us on 0131 661 3366 or fundraising@thistle.org.uk.

Remember, if you choose not to share your personal data with us, we may not be able to keep you up to date or provide you with information that may be useful to you.

Updating your details

We really appreciate it if you let us know when your contact details change. And we may also use publicly available sources to keep your details up to date (for example, the Post Office’s National Change of Address database). It is important that we have correct contact details so that we do not send mail to the wrong address.

 

5. Who Has Access To Your Personal Details?

This will depend on your interaction and engagement with us. As a general principle, within Thistle we limit access to all personal data ensuring a minimum number of staff are able to view your information.

 In general terms, we may also share your data with:

  • Health and social care professionals as appropriate or as required by regulation

  • Organisations that provide services to Thistle or who act on our behalf. This may include mailing companies, those that process card payments or IT service providers.

  • Companies that run fundraising events such as Kiltwalk

  • Regulators and legislators as required

  • Our professional advisors (such as lawyers, accountants and consultants)

When we share your information, we provide as few details as possible for them to do their job and they are only allowed to use your data for a specified activity and must comply with GDPR and delete or anonymise your data on completion of the specified activity.

 

6. How Do We Keep Your Details Safe?

We ensure that there are appropriate technical controls in place to protect your personal details; for example our online forms are always encrypted and our network is protected and routinely monitored. Data is in password-protected systems and confidential paper records are locked away.

We undertake regular reviews of who has access to information that we hold to ensure that your information is only accessible by a limited number of appropriately trained staff, volunteers and contractors. 

We sometimes use external companies to collect or process personal data on our behalf (for example we use a mailing house to post out our newsletters). We do comprehensive checks on these companies before we work with them and ensure that they are compliant with the relevant regulations.

As a rule, we will only ever share your data with third parties if we have your permission and informed consent. However, in highly exceptional circumstances, we may be required by law or regulatory requirements, to disclose your details to others such as regulatory bodies or legal advisors without your consent.

A note about websites and email

Our website has links to other sites that are not under our control. If you follow a link then please check the privacy notice on the new site. 

We make every effort to keep your data secure but cannot guarantee total security when transferring data by email. 

 

7. How Long Will We Keep Your Personal Data?

We retain personal data for as short a time as possible and this depends on the reason for which it was collected initially and in accordance with any instructions from you or regulatory/legal or reporting requirement. 

At the end of the period, your data is either deleted completely or anonymised (so that we can aggregate it with other data for analysis to improve our service).

 

8. Right of Access to Your Data

We fully respect your rights:

  • to know what we know about you,

  • To make changes to the personal data we hold about you or

  • To ask us to stop using your data.

You have a right to ask us to stop processing your personal data. We will do this provided it's not necessary for the purpose you provided it to us (e.g. registering for an event) and if we are not required to process it for regulatory or legal reasons.

Contact us on 0131 661 3366 or dataprotection@thistle.org.uk if you have any concerns.

You also have a right to ask for a copy of the information we hold about you and accessing this information is usually free of charge. We will send you the information within 30 days and once you have received the information, if you spot any mistakes, please let us know and we will correct your record accordingly.

If you wish to access your information, simply send your request along with a description of the information you want to see and proof of your identity by post to the Data Protection Officer, 13 Queen’s Walk, Edinburgh, EH16 4EA. We’re sorry but we cannot accept these requests by email.