How we capture, store and use your data
The Royal Foundation of The Duke and Duchess of Cambridge and The Duke and Duchess of Sussex
Protecting your privacy is important to us. At all times we aim to respect any personal information you share with us, or that we receive from other organisations, and keep it safe. This Privacy Notice (Notice) explains how we hold and use personal information and your rights and options in relation to it.
If you have any questions about this Notice please contact us using the details in the “Contact us” section below.
This Notice contains important information about your personal rights to privacy. Please read it carefully to understand how and why we use your personal information.
- Who we are
This website is operated by the Royal Foundation of the Duke and Duchess of Cambridge and The Duke and Duchess of Sussex (the Foundation) (registered charity number 1132048 ). The Foundation is the controller of the personal information that is collected through the site or otherwise as set out below.
- Our Patrons
Our patrons are the Duke and Duchess of Cambridge and The Duke and Duchess of Sussex. We sometimes share personal information with them for the purposes set out in this Notice below, and they will sometimes share personal information with us where it is lawful and appropriate to do so. In those cases, we are usually sharing data with the Royal Household. For example, we may share limited information about our supporters attending an event at which our patrons may be present, or our patrons may share the details of individuals with the Foundation who have expressed an interest to our patrons in being involved in our work and Projects.
- Our websites/projects
The Foundation is the Patrons’ primary charitable vehicle, and supports and co-ordinates a number of charitable Projects, in collaboration with other charities and organisations. These Projects sometimes have their own websites. This Notice applies to each of the following websites equally, unless otherwise specified below:
Please note that this list may change over time, however the relevance is to the website that you are currently visiting. We will not inform you if a new website is added to this list.
|www.royalfoundation.co.uk||the main website of The Royal Foundation.|
|www.headstogether.org.uk||Heads Together. A partnership with inspiring charities that are tackling stigma, raising awareness, and providing vital help for people with mental health challenges|
|www.unitedforwildlife.org||United for Wildlife. A collaboration with seven of the largest field-based international conservation organisations to up-scale the response to conservation crises.|
|https://courses.unitedforwildlife.org/||A free open course focussed on conservation|
|http://elephants.unitedforwildlife.org/||Campaign website offering actions for people to take to support conservation|
|http://wearetherangers.com/||A website focussed on the United for Wildlife Minecraft maps|
|https://www.stopspeaksupport.com/||A website hosting content from The Royal Foundations anti cyberbullying campaign|
|www.endeavourfund.co.uk||Endeavour Fund. A project delivered with the assistance of an experienced Advisory Board, to fund sporting and adventure challenges for wounded, injured and sick Servicemen and women.|
|www.wearecoachcore.com||Coach Core. An apprenticeship and training programme delivered with partners to inspire and assist young people to build careers in sports coaching.|
|www.full-effect.org||A partnership with Community Recording Studio and EPIC Partners to identify and support young people at risk of and affect by youth violence in Nottingham through early intervention, mentorship and training.|
How we collect information about you:
When you give it to us directly
For example, personal information that you give us by filling in forms on our websites or offline (including signing up for our newsletter, fundraising and/or volunteering, or making or proposing a donation), communicating with us by phone, email or letter or filling out a survey.
When you give it to us indirectly
For example, personal information we receive about you if you use any of the other websites we operate or services we provide. In this case, we will have informed you when we collected that personal information if we intend to share it internally and/or combine it with information collected on our websites, and the purpose for doing so.
Our Project partners may share your personal information with us in order to co-ordinate our various Project campaigns, for example to invite beneficiaries of these projects to attend Foundation events to celebrate their achievements.
Your personal information may also be shared with us by third parties including, for example, the Royal Household or other Royal Charites (see “Will we share your personal information?” below), our partners; sub-contractors in technical, payment and delivery services; advertising networks; analytics providers and search information providers. To the extent we have not done so already, we will notify you when we receive personal information about you from them and tell you how and why we intend to use that personal information.
When it is available publicly
Your personal information may be available to us from external publicly available sources. For example, listed directorships, information from the electoral roll and press reports – we may obtain this personal information, for example, when undertaking due diligence on potential donors or fundraising partners to ensure they align with our mission and values, or when researching prospective donors (see “Donor profiling” below).
When you visit our websites
When you visit our websites, we automatically collect the following personal information:
(a) Technical information, including the internet protocol (IP) address used to connect your computer to the internet, browser type and version, time zone setting, browser plug-in types and versions and operating systems and platforms.
(b) Information about your visit to the website, including the uniform resource locator (URL) clickstream to, through and from the site (including date and time), products you viewed or searched for, page response times, download errors, length of visits to certain pages, referral sources, page interaction information (such as scrolling and clicks) and methods used to browse away from the page.
We also collect and use your personal information by using cookies on our websites – please see our Cookie Notice for more information
We may combine your personal information from one or more of these sources for the purposes set out in this Notice.
What personal information do we process?
We may collect, store and use the following kinds of personal information:
- name and contact details, including postal address, telephone number, email address and, where applicable, social media identity;
- financial information, such as bank and/or credit/debit card details;
- donation history and Gift Aid details;
- photographs, video or audio recordings;
- biographical information, such as your occupation (or employment history – for example if you apply for a job);
- information about your computer / mobile device and your visits to and use of our websites, including for example your IP address;
- any other information shared with us as per the section “How we collect information about you” above.
Do we collect/ share sensitive personal information?
Data privacy law identifies certain categories of personal information as sensitive and therefore requiring more protection, for example information about your health or ethnicity. In limited cases, we may collect and/or use your sensitive personal information (also known as special category data). Normally we will only do so where we have your explicit consent, but there may be other circumstances permitted under data privacy law.
For example, we may record that a person is in a vulnerable circumstance in order to comply with requirements under charity law and fundraising regulation to ensure that we do not send fundraising communications to them.
PLEASE BE AWARE THAT if you choose to send the Foundation unsolicited sensitive personal information, including requests for mental health related support and information, we do not have the expertise to provide specialist support in this area. Therefore if you contact us with such a query we will share your details with our Heads Together partner, Mind (charity number 219830 whose website is www.mind.org.uk) to the extent necessary for them to respond directly with the support or information you require and, where necessary we may pass this information to the relevant emergency service(s) or to appropriate organisations such as Childline.
If you contact us on this basis, we will send you an email or letter to confirm we have provided your details to Mind and will give you the opportunity to let us know if you are no longer happy for us to share your details in this way. If you then tell us you are not happy for Mind to have this information or to contact you we will request that Mind delete the details about you that we have provided to them immediately. Please be aware that this process may take 24 hours and it is possible that Mind will respond to you directly in the meantime.
How and why we use your personal information?
Your personal information, however provided to us, may be used for the purposes specified in this Notice, including:
- To provide you with services or information which you request (including where appropriate, referring you to a partner organisation such as Mind to provide mental health support);
- to process payments from you such as donations (including Gift Aid);
- to communicate with you as set out in this Notice below (including the sections “Campaign communications” and “Administrative communications” below);
- to administer our websites and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
- to improve your interactions with our websites, for example by ensuring that content is presented in the most relevant and effective manner for you and for your computer;
- to report on the results and impact of our work;
- as part of our efforts to keep our websites and our internal operations safe and secure;
- to measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you;
- to undertake donor due diligence (see section “Donor due diligence“ below);
- to administer your employment application;
- to deal with enquiries and/or complaints made by or about you;
- to audit and/or administer our accounts;
- to satisfy legal obligations which are binding on us, for example arising from contracts entered into between you and us or in relation to regulatory, government and/or law enforcement bodies with whom we may work;
- prevention of fraud, misuse of services or money laundering; and/or
- enforcement of legal claims
The Royal Foundation engages in ‘donor profiling’; identification of, and subsequent research into, prospective major donors and influencers – individuals, charitable trusts, companies and volunteers to gain a better understanding of our supporters and identify prospective supporters. This profiling, which may include identifying indicators of wealth and analysis of our database in future, will inform our fundraising strategy, helping us to provide you with relevant and effective communications and strengthening the relationship with our supporters in the most efficient way possible. As a charity, this helps the Foundation make best use of its charitable funds in order to maximise the public benefit it is able to deliver.
You can opt out of your personal information being used in this way. If you do not wish the Royal Foundation to undertake donor profiling on you, then please contact us at email@example.com.
Donor due diligence
Like many charities, we need to undertake checks on individuals who give or propose to give large donations to us, so that we are complying with our duties to protect charity funds, assets, and reputation, and to comply with the “know your donor” principles further to Charity Commission guidance, to prevent fraud, and also to ensure compliance with our own ethical policies (Due Diligence Purposes).
We may use third party suppliers to assist us with these checks, and we may obtain information from publicly available sources in order to do so. The Foundation will follow its Ethical Fundraising and Gift Acceptance Policies in the interpretation and application of due diligence findings. We will periodically review due diligence decisions in line with any future changes to the charity’s Ethical and Gift Acceptance Policies.
Information that we obtain through carrying out due diligence may be shared with other Royal Charities for Due Diligence Purposes. See “Data Sharing”.
Donor due diligence may also include information which is considered “sensitive personal data”. This may include personal information regarding racial or ethnic origins, political opinions, religious beliefs, health and also information concerning criminal offences.
Filming and photograph at events
Please note that we (or our service providers) or third party (including Project partner) event hosts may film or photograph those attending or taking part in our events.
We may use the footage or photographs for publicity and marketing/ fundraising purposes. For example, in print and/or digital material (including social media) or via external advertising and press outlets, all of which may be made available to the public.
No personal details (e.g. names) of children under 16 will be used in such materials without consent from their parent or legal guardian, but we may use images where children are incidentally pictured (for example, as part of a crowd).
We may use your contact details to provide you with information about our work which we consider may be of interest to you (for example updates about the Foundation’s Projects such as Heads Together).
We will obtain your consent to contact you via email and text message for these purposes (for example, via signing up on our Project websites).
We may send you marketing by post on the basis of it being within our legitimate interests to do so, unless you opt-out. See the section “Our legal basis for processing your information” for more information about our use of legitimate interests. We may also contact you by phone on this basis (unless you are registered with the Telephone Preference Service or have opted-out of receiving marketing communications from us).
We send the following marketing materials:
- Updates about the Foundation’s work- including email, newsletters, magazines and other publications informing you about our work;
- Campaigns – information about our Projects, including how you can support such campaigns, (for example by attending events or fundraising for them), and updates about the progress of our campaigns;
- Events – including details of our challenges (in the case of the Endeavour Fund, for example) or other events in aid of our Projects. Note that if you sign up to an event we will also send you administrative communications about how you can take part. On occasion we will also send you a reminder about the same event in future years in case you want to participate in it again; and
- Volunteering – information about how you can help support our Projects and partners by giving up your time or using your influence to progress their aims, along with updates on the impact of your work.
Where possible we cleanse and remove out of date contact details by checking it against publicly available records such as deceased records. This helps us to improve the delivery rate of our mailings and minimise wasted expenditure.
Social media/ digital
Depending on your settings or the privacy policies for social media messaging services like Facebook, Twitter and Instagram you may receive targeted advertisements about the Foundation through our use of social media audience tools. For example, Facebook’s ‘Custom’ and ‘Lookalike’ Audiences’ programmes enables us to display adverts to our existing supporters when they visit Facebook, or other people who have similar interests or characteristics to our supporters. We may provide your personal information including your email address to Facebook, so it can determine whether you are a registered account holder with them, or so that Facebook create a “lookalike” audience. Our adverts may then appear when you access Facebook. We only work with social media networks that provide a facility for secure and encrypted upload of data and immediately delete any records not matching with their own user base.
For more information or to manage your social media ad preferences, please see Facebook’s “About Custom Audiences” guide (https://www.facebook.com/business/help/744354708981227) and its Data Policy.
Our website also uses web beacons or pixels through third-party service providers that allow us to track conversions and activity on our website as well as generate advertisements that appear on Facebook and other search engines like Google for you and other potential users. Please see our Cookies Notice for more information.
In addition to the campaign communications that you receive from us, we will also communicate with you by post, telephone and e-mail in relation to administrative matters.
On occasion, we will also contact you about an event that you have signed up to participate in, for example, to check that fundraising pages have been set up and to provide any other necessary information.
We may still need to communicate with you for administrative purposes even where you have opted-out of marketing communications from us.
Children’s personal information
We sometimes collect and manage personal information about children, and we aim to manage it in a way which is appropriate to the age of the child. Personal information is usually collected when children who are involved in Project work with our partners attend our events, or where our Patrons attend partners’ events with them.
Where possible and appropriate we or our partners will seek consent from a parent or guardian before collecting personal information about children.
Will we share your personal information?
Unless stated in this Notice, we do not share (unless we have your consent to do so), sell or rent your personal information to third parties for their own marketing purposes.
Sharing with the Royal Household and Royal Charities
Due to the nature of the Foundation, in some circumstances we may share your personal information with the Royal Household – for example to provide our Patrons with information about our event attendees where it is reasonable and lawful for us to do so, and they will share personal information with us. The Foundation regularly consults with the Royal Households; Kensington Palace, Buckingham Palace and St James’ Palace in the planning of events which may include sharing of event attendee information as appropriate.
From time to time, we also work with The Royal Founding Patronages, a group of charities (plus their subsidiaries and/or trading entities), as well as the Prince’s Trust Group and The Prince’s Foundation, listed here: https://www.princeofwales.gov.uk/prince-waless-charities. Furthermore we may also work with Sentabale http://sentabale.org and the Royal Collection Trust https://www.royalcollection.org.uk. Collectively known as the “Royal Charities”, data is shared verbally and via secure email between the Royal Charities’ representatives.
The relationship between the Foundation and the Royal Charities follow a shared operating protocol which involves a degree of relevant and proportionate ongoing information sharing within the group, carried out in the legitimate interests of both the Foundation, and the Royal Charities in supporting their individual and collective aims. This is to ensure any approaches to prospective supporters are handled sensitively and proportionately, and to prevent the same supporters receiving multiple approaches at the same time from different members of the Royal Charities, where they may not reasonably expect this. This personal information may include names, contact details, philanthropic interests and some relevant biographical detail – and where strictly necessary and appropriate to protect the interests of the Royal Charities, due diligence information (see “Donor Due Diligence” above).
Sharing with moderation companies
Please note that for some campaigns we use third party moderation companies – where we do this, those companies will be granted access to our social media platforms and will read and review some or all posts made to ensure that the content abides by our community guidelines. Inappropriate content may be removed or hidden, and the individuals who posted may be blocked from further interaction on the channels.
If content is disclosed that suggests that person(s) may be a risk to themselves, a risk to others or disclose information on other potentially at risk persons then we may pass this information to the relevant services to ensure the appropriate action is taken.
Other sharing purposes
We may also disclose your personal information to selected third parties in order to achieve the purposes set out in this Notice, including:
• We will share your personal information with our charity partners, where necessary and appropriate to coordinate our Projects listed in the section “Our websites/projects” above.
• where it is necessary to protect your vital interests, or ensure support for individuals with a particular medical condition, or to safeguard children or individuals at risk;
• where we have your consent to do so;
• where the transfer is to a secure data processor, which carries out processing of your personal information on our behalf pursuant to a contract;
• where we are required by law to do so, for example to law enforcement or regulatory bodies where this is required or allowed under the relevant legislation.
Security of and access to your personal information
We take proportionate and appropriate measures to safeguard your personal information and to prevent the loss, destructions, misuse or alteration of it.
For example, your personal information is only accessible by appropriately trained staff and contractors, and stored on secure servers.
In general, the personal information that we collect from you will be stored at a destination within the UK or European Economic Area (EEA).
However, we use agencies and/or suppliers to process personal information on our behalf. Your personal information may therefore be transferred or stored outside, and/ or otherwise processed by contractors operating, outside, the UK or EEA who work for us or for one of our suppliers.
In these cases we will take all steps reasonably necessary to ensure that the recipient implements appropriate safeguards to protect your personal information (for example, by entering into a contract approved by the European Commission or, if the company is based in the US, checking that it is certified under the EU-US Privacy Shield).
The transmission of information via the internet is never completely secure, and although we do our best to protect it, we cannot guarantee the security of personal information transmitted via the internet.
Our legal basis for processing your personal information
The Foundation must rely on a lawful basis to collect and use your personal information. Data privacy law specifies six such grounds, and we consider the following to be relevant to our use of personal information:
- Where you have provided your consent -For example, to send you direct marketing by email or SMS.
- Where it is necessary so that we can comply with a legal obligation to which we are subject – For example where we are obliged to share your personal information with HMRC to process a Gift Aid declaration
- Where it is necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering a contract
For example if you are assisting with or otherwise involved in one of our Projects under a contract.
- Where there is a legitimate interest in us doing so.
Personal information may be collected and used if it is reasonably necessary to achieve a legitimate interest (as long as that processing is fair, balanced and does not unduly impact your rights).
Where we rely on legitimate interests, depending on the activity, we may be relying on the Foundation’s legitimate interests or those of our partner organisations (for example, in our coordination of the Heads Together campaign, a Project involving several partner charities).
Those legitimate interests include the following:
• Charity Governance, including delivery of our charitable purposes, statutory and financial reporting and other regulatory compliance purposes;
• Administration and operational management, including responding to solicited enquires, providing information, research, donor due diligence, events management, the administration of our Projects and employment and recruitment requirements; and
• Fundraising and Campaigning, including administering campaigns and donations, and sending material by post (and in some cases making telephone calls), analysis, targeting and segmentation to develop communication strategies and maintaining communication suppressions.
In general, our legitimate interests include running the Foundation as a charitable entity and pursuing our aims and ideals. However, “legitimate interests” can also include your interests, such as when you have requested information or services from us, and those of third parties (for example, beneficiaries of our Project work – including ensuring those who require help and support are directed to the most appropriate organisations to provide it).
When we process your personal information to achieve such legitimate interests, we consider and balance any potential impact on you (both positive and negative), and your rights.
How long do we keep your personal information
Whatever your relationship with us, we will only store your personal information for as long as necessary to fulfil the purposes we collected it for, including the purposes of satisfying any legal, accounting or reporting requirements. Usually this will be for a specified amount of time in accordance with our internal retention policy.
That length of time may vary depending on the reasons for which we are processing the personal information and whether we have a legal (for example under financial regulations) or contractual obligation to keep it for a certain amount of time.
Subject to the above, generally, we typically retain personal information relating to donors and people who have taken campaign actions or signed up to our mailing lists for 6 years after their last donation or interaction with us and we will then to consider whether to retain for further six years.
Once the retention period has expired, personal information will be confidentially disposed of or permanently deleted.
If you object to further contact from us, we will keep some basic information about you on a “suppression list” in order to avoid sending you unwanted communications in the future.
You have a number of legal rights in relation to our use of your personal information. These rights include:
- Right to object – you have the right to object to processing where we are (i) relying on the legitimate interests as a legal basis, (ii) using your personal information for direct marketing or (iii) using your personal information for statistical purposes.
- Right to withdraw consent – where we are using your personal information on the basis of your consent, you can withdraw that consent at any time.
- Right of access – you can ask for confirmation of what personal information we hold about you and request a copy of that personal information. Provided we have successfully confirmed your identity (we need to be sure we are only releasing your personal information to you), we will provide you with your personal information subject to any exceptions that apply.
This is sometimes called a “subject access request” and can be done by writing to us at the email or postal address in the “Contact us” section below.
- Right of erasure – in some cases, you can ask us to delete your personal information from our records (or to anonymise it). We may retain some limited personal information in order to ensure you are not contacted by us in the future.
- Right of rectification – if you believe our records concerning you are inaccurate, you have the right to ask us to update them. You can ask us to check the personal information that we hold about you if you are unsure.
- Right to restrict processing – in certain situations you have the right to ask us to restrict the processing of your personal information if there is disagreement about its accuracy or legitimate usage.
- Right to data portability – where we are processing your personal information using automated means on the basis of consent, or to perform a contract, you may ask us to transfer it to another service provider in a usable format.
To exercise any of these rights, please send us a description of the personal information in question, along with an explanation of the rights you wish to exercise, using the contact details in the “Contact us” section below. In some cases we may ask for proof of identification or further information before we can process your request.
Please note that these rights only apply in limited circumstances. For more information, we suggest that you consult guidance from the Information Commissioner’s Office (ICO) – https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/ – or please contact us using the details in the “Contact us” section below if you are unsure.
Third party websites
Due to the collaborative nature of our work, our websites often contain links to other sites, including those of our delivery partners. For example, our Heads Together Project signposts those seeking mental health support to organisations such as Samaritans and Mind.
This Notice does not cover those external websites and we are not responsible for the privacy practices or content of those sites. We encourage you to read the privacy policies of any external websites you visit via links on our website or if you are involved in one of our Projects, please visit the website of those partners who are listed on the campaign website as being involved so you can understand how they collect, use and share your personal information.
Changes to this Notice
We keep this Notice under regular review and may update it from time to time, so we recommend that you check it regularly. Where necessary we may also notify you of changes to this Notice by email.
This Notice was last updated on 16th May 2018.
Contact us (including complaints)
If you have any questions or concerns (including complaints) about this Notice or about the way in which your personal information is being used please let us know by contacting us in the following ways:
by email: firstname.lastname@example.org
by telephone: +44 (0) 207 101 2000
by post: The Royal Foundation of The Duke and Duchess of Cambridge and Prince Harry, Kensington Palace, Palace Green, London W8 4PU.
In each instance, please ask for or address your communication to Data Protection Lead
You are entitled to make a complaint at any time to the Information Commissioner’s Office, the UK regulatory authority for data privacy (https://ico.org.uk/global/contact-us/). We are always grateful for the opportunity to resolve your concerns before you approach the ICO, so appreciate if you would contact us in the first instance.