© Showkat Nanda
28 Feb 18 07 Jun 18

MSF UK privacy notice

About this Policy

At MSF UK we make sure we protect the information you give us.

References to “we” or "us" are to MSF UK (Charity Registration Number: 1026588).

We collect information that helps us make informed decisions, fundraise more efficiently and give you the best possible experience on our UK websites and from our communications.

This privacy policy is written in accordance with relevant data protection legislation including the Data Protection Act 1998, Privacy and Electronic Communications Regulations 2003 and the General Data Protection Regulation. MSF UK is registered under the Act as a Data Controller number Z4904673.

This privacy policy sets out how MSF UK collects, uses and stores personal data, including via its website, msf.org.uk and its associated sites, including secure.msf.org.uk, resources.msf.org.uk and msfassociation.org.

"Fifteen years ago we made a promise to our donors to provide them with the highest standard of care. As part of delivering on that promise we’re constantly strengthening our data protection measures; giving our supporters more control over their personal data."
vickie hawkinsExecutive Director, MSF UK

If you’ve any questions please contact us using the details below.

When do you collect information about me?

We collect information:

  • when you give it to us directly
  • when you give it to us indirectly
  • when you give it to us via social media
  • when you use our websites or apps

DIRECTLY

You may give us personal information when you: donate, sign up for one of our events, communicate with us, request a speaker, sign up for email newsletters and leave a comment on our social media accounts.

INDIRECTLY

We may get your personal information via a fundraising organisation or platform (eg Just Giving) if you’ve told them that you’re supporting MSF UK and with your consent. Please check their privacy policies when you give them your information.

SOCIAL MEDIA

We may get information about you from your social media accounts or services. Facebook and Twitter are examples. We can do this if you’ve set your account settings to give us permission. Please check your settings and their privacy policies for more details.

In some cases we hold publicly available information from social media channels (such as social media handles or number of followers) on our social customer relationship management system ‘Prezly’. This provides us with an overview of who drives the conversation on topics that relate to our work. Should we want to reach out to a particular social media handle we would do so using the contact information they have provided publicly.

OUR WEBSITES AND APPS 

We use “cookies” help us improve the performance of our UK websites and campaigns.

Cookies are small text files that websites send to your computer (or phone or tablet). They save and store information about how you use the website.

We use them to give you a tailored experience on our website. They make using our sites faster and easier. For example, when you donate on MSF UK, a cookie helps the site ‘remember’ which kind of donation you’ve chosen as you move through the site.

Our website also uses web third-party cookies that allow us to track conversions and activity on our website as well as generate advertisements that appear on Facebook, for example, and other search engines like Google for you and other potential users. Such third party cookies may collect or receive information through your use of our websites to provide advertisements and allow it to create lookalike audiences. We don't collect personal information via these cookies.

Find out more on cookies page.

If you enter your details onto one of our online donation form, and you don’t complete the donation, we may contact you via email to see if we can help with any problems you may be experiencing.

Similarly if you receive an email, open it, don’t open it, select a link, browse our website, we collect this information so we can see which stories are popular and which aren’t. This data is not used to identify you personally.

What information do you collect?

If you contact us for any reason we'll usually collect your:

  • name
  • email
  • phone number
  • address

When you donate we may also ask for:

  • your bank or credit card details (which are stored under PCI Compliance regulations).
  • date of birth through our face-to-face fundraising to check you’re over 18.

We may also record:

  • information about your health, if it affects your ability to donate (eg if you’re hard of hearing we need to make sure we contact you in a way that suits you), in accordance with our Vulnerable Persons Policy. This is with your consent only.

When you sign up for a survey or fundraise for us we may also ask:

  • what your interests are eg medical interests or countries we work in
  • which age bracket you’re in
  • what social media channels you use

If you sign up for our Access Campaign website your data will be collected by our Geneva office. Please read their policy to find out more about how they look after your data.

How do we use your information

We use your data to:

  • deal with your enquiries and requests
  • process and acknowledge your donations
  • keep a record of your engagement with us
  • send you updates, marketing and fundraising communications 
  • understand how we can improve our services and information
  • analyse our fundraising activity

We won’t sell your details to any third parties or other charities. Read our donor promise for more info.

How we use your data depends on why you’re providing it:

ONLINE FORMS AND FEEDBACK

We’ll use your personal information to respond to your questions, requests or register you for events.

SURVEYS 

We use surveys to understand who visits our websites and how they use it, helping us to create better content for you and make our websites easier to use.

We may ask for your email address if you’re happy to be involved in future surveys or testing. We’ll only use this to ask you to help us with these types of requests.

DONATIONS

We use your information to process and keep a record of your donation. We also use it to claim Gift Aid if you've selected this option.

DIRECT MARKETING

We use direct marketing to let you know what MSF is doing and how your support makes a difference. We may use it for emergency fundraising or to ask for other support. We'll always respect your preferences and endeavour to send you information that you’ll find interesting, in the format you prefer.

We'll send you direct marketing by post unless you indicate that you don't want to hear from us this way. We send these communications on the basis of it being within our legitimate interests to do so or if you've consented to receive this. Please see the “Legal Basis for Processing Data” section below for more information on this.

We'll also send you direct marketing by e-mail, SMS and phone if you've consented to hear from us this way.

The types of marketing that you can expect to receive from MSF UK include:

  • Our ‘Dispatches’ magazine
  • Monthly Email updates 
  • Emergency appeals
  • Event invites

Our email direct marketing has ways to opt out or update your preferences in the footer of each email. You can opt out at any time.

If you don’t want to hear from us, that’s fine. Just let us know on 0207 404 6600 or at uk.fundraising@london.msf.org.

SOCIAL MEDIA

We may use publicly available information from your profile to target you with specific posts that may interest you.

We’ll never ask for personal or sensitive information on social media. We may repost or share your posts on social media if it relates to MSF and our work.

We may respond to questions, queries or comments left on our social media channels. We may use information found on your profile to help us answer these.

Check your social media accounts if you want to change the information you make public.

Our websites use sharing buttons which share our web pages to social media platforms. Use these buttons at your own discretion. 

Social media platforms may track these shares through your accounts.

Who has access to my data?

TRAINED STAFF

Your information is only accessible by trained staff, volunteers and contractors. We regularly review who has access to your information.

We do comprehensive checks on any contractors before we work with them. We always put a contract in place that sets out how they manage the personal data they collect or have access to.

DATA PROCESSORS 

We use other companies to help us manage and store personal data and to carry out certain activities on our behalf.  Our main data processors are listed below, but we may enlist the services of others from time to time:

  • Valldata – our donation processing partner
  • CARE – our in-house fundraising database
  • Mango – our inbound call centre
  • Communicator Corporation – our direct e-marketing platform
  • Brightsource – our direct mail partner
  • EverGiving -  our face-to-face fundraising tool
  • Braintree - Our Apple pay partner
  • Mosaic – our fundraising resource ordering platform
  • Survey Monkey – surveys and competitions
  • Association website – we store association member’s login details
  • Taleo – UK office staff recruitment portal
  • HERO– Field staff recruitment and HR database

We’ll only disclose your personal data to third parties, without your consent, when we have to by law, for example to authorised statutory agencies or authorities.

How do we keep your information safe?

We use appropriate technical and organisational measures and precautions in order to protect your personal data and to prevent the loss, misuse or alteration of your personal data.

We have lots of technical measures, eg we encrypt our online forms and routinely monitor our network and we use industry standard SSL certificates and PCI compliance.

While we make sure to keep your data safe, no data transmission over the Internet is 100% secure. We can't guarantee the security of any information you send us and you do so at your own risk.

How long do we keep your information?

We keep your information for as long as it’s necessary. For example, we keep your financial data for at least seven years.

If you request to receive no further contact from us, we'll keep some basic information about you on our suppression list in order to avoid sending you unwanted materials in the future.

Our legal basis for processing personal data

Organisations need a lawful basis to collect and use personal data under data protection law. The law allows for six ways to process personal data (and additional ways for sensitive personal data). Four of these are relevant to the types of processing that MSF carries out.

This includes information that is processed on the basis of:

  • A person’s consent (eg to send you direct marketing by e-mail or SMS);
  • Processing that is necessary for compliance with a legal obligation (eg to process a gift aid declaration); and 
  • Our legitimate interests (please see below for more information).

Personal data may be legally collected and used if it's necessary for a legitimate interest of the organisation using the data, as long as its use is fair and doesn't adversely impact the rights of the individual concerned.

Our legitimate interests include:

  • Charity Governance; including delivery of our charitable purposes, statutory and financial reporting and other regulatory compliance purposes;
  • Administration and operational management; including responding to solicited enquires, providing information and services, research, events management, the administration of volunteers and employment and recruitment requirements. 
  • Fundraising and Campaigning; including administering campaigns and donations, and sending direct marketing and thank you letters by post. 

If you'd like to change our use of your personal data in this manner, please get in touch with us using the details below.

How can I change my information and can I access it?

Contact us at uk.fundraising@london.msf.org or 020 7404 6600 if you'd like to:

  • Update your personal information
  • Change your personal information
  • Change your contact preferences

You have a number of rights under data protection legislation:

  • You can request any information we hold on you. Email us at uk.fundraising@london.msf.org and ask for it in writing. We'll supply any information you ask for as soon as possible, but this may take up to 30 days. You may be asked for proof of identity.
     
  • You have the right to ask us to stop using or to restrict the processing of your personal data in certain cases, eg where it’s not needed to do what you provided it to us for, or if there is some disagreement about its accuracy or legitimate use.
     
  • You can withdraw your consent to us processing your data at any time (where such processing is based on consent eg to send you electronic direct marketing).
     
  • If you believe our records are inaccurate you have the right to ask for those records concerning you to be updated. To update your records please get in touch with us using the details above.
     
  • In some cases, you have the right to be forgotten (ie to have your personal data deleted from our database), or transferred to another organisation (“data portability”). Where you have requested that we don't send you marketing materials we'll need to keep some limited information in order to ensure that you're not contacted in the future.

Kristen Verblen-McArthur is our data protection lead. You can contact her if you’ve any queries about data protection.

If you have any concerns about the way your data is being used or if you’d like to make a complaint please contact us using the details above. You're also entitled to make a complaint to the Information Commissioner’s Office and the Fundraising Regulator.

When do you update this notice?

We change this Privacy Notice when we need to. If we make any significant changes in the way we treat your personal information we’ll make this clear on our websites or by contacting you directly.

This privacy notice was prepared to be as comprehensive as possible, but it doesn't include an exhaustive list of every aspect our collection and use of personal information. However, we'd be happy to provide any further information or explanation about our practices.

If you’ve any questions, comments or suggestions, please let us know by contacting us.

Privacy Policy for MSF staff

This describes how MSF UK (“we”) collects, holds and processes personal and sensitive data about its employees, ex-employees, individuals on the register waiting to be assigned to a mission, volunteers and anyone going through an application process – referred to as ‘you’ below.

MSF UK is a Data Controller in terms of the Data Protection Act 1998. We maintain information about you (your personal and sensitive data) in paper and electronic form. This is managed by the Human Resources Team. For certain services, such as payroll, we share this information with other parts of MSF UK (i.e. Finance) and sometimes with external partners who provide HR services on our behalf, for example payroll processing. We also share your contact details with the MSF Association UK/IE and our Fundraising team, solely for the purpose of sending you information about the work of MSF. Depending on the nature of your contract or work with us, we may also need to share your personal data with other partners within the MSF Movement. This will only be shared and used for the same purposes detailed below.

What personal data we collect and why

We use this information to administer payroll, pensions, insurance, training and appraisals, monitor equal opportunities, obtain visas, book travel and manage your access to various services such as IT and buildings. We cannot offer you an employment contract without having specific personal information about you. We also have certain legal obligations to keep information for a set period of time and on specific occasions disclose information to the appropriate authorities.

Some personal data about you is collected as part of our Equal Opportunities monitoring. Reports from this only use data in an anonymised form (so you cannot be identified from it) and are only shared within relevant internal functions. We also conduct an annual staffing audit containing some of your personal data, which is shared only internally to authorised personnel.

How we keep your data secure

MSF UK takes information security very seriously, particularly in relation to personal and sensitive data. We undertake regular audits and checks of personal data management and failure of our staff to comply with our Data Protection Policy is a disciplinary offence.

IT Facilities

Your name and, where relevant, work email address and phone number, will be included in the MSF UK Active Directory to enable us to provide IT services to you. Under the Regulation of Investigatory Powers Act 2000 and The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 we have the right to monitor the use of computer and telephone facilities for purposes such as preventing and detecting criminal acts, investigating unauthorised use, making sure that policies are being followed and for training and quality control.

External Disclosures

Sometimes we will pass information about you to third parties, where the law allows it. For example, we may confirm the dates and nature of your employment to a prospective employer. We do not give or sell your information to other organisations.

When you leave

If you decide to leave MSF UK’s employment, your personnel file is kept for seven years from the date you leave. If you were a member of a pension scheme, some information will be kept longer to allow payment of a pension.

Accessing your personal data 

You have a right to see all the information that we keep about you. This is called a subject access request; if you wish to do this, please contact the Data Protection Officer. Our overall Data Protection Policy can be found on our website. All MSF UK employees, contractors and suppliers are expected to comply with this policy.