Crisis' commitment to your privacy and data protection
Crisis takes the protection of your personal information seriously. Our values include treating everyone with dignity and this includes making sure we keep your privacy in mind.
Crisis never sells or exchanges our supporter's information with other organisations. ('Supporters' means people who have volunteered, fundraised, campaigned or donated to Crisis).
This privacy policy tells you;
- what information we collect about you
- the ways in which Crisis collects your information when you support us
- our legal basis for using that information
- what the information may be used for.
This privacy policy also outlines your rights about your personal information.Crisis takes the protection of your personal information seriously. Our values include treating everyone with dignity and this includes making sure we keep your privacy in mind.
We consider your privacy in everything we do. Privacy policies can be complex. We have tried to make ours as clear and as accessible as possible. We have also summarised how we handle your personal information at Crisis in our privacy principles below.
Our Promise
At Crisis we are committed to protecting your privacy and handling your personal information in the right way and as you would expect it to be handled:
- We will only ask for or collect the personal information that we need to run and improve our services and to talk to you about our work - such as volunteering, fundraising, donating and campaigning.
- We give you control over the personal information we hold about you to make sure it is accurate.
- We make sure your personal information is always secure and protected.
- We are fair and transparent about how we use the personal information we hold.
- We only ever use your personal information for the purpose that you trusted us to use it for.
- We will never sell your personal information and only share it as outlined in our privacy policy, or when you ask us to.
- We respect your choices and will tell you if there are important changes that affect your personal information or how we use it.
- We take responsibility for the personal information that we hold about you.
What personal information does Crisis collect?
We are not interested in collecting every personal detail about you. Our main reason for collecting personal information is to run our services and support our work to help end homelessness. To end homelessness we need to fund our services, carry out research and campaigning work through charity fundraising and by attracting volunteers to support us.
Crisis defines personal information as any information that could be used to identify an individual.
We collect personal information in a number of different ways: It could be information you may share with us, or we may collect information using other means such as through email and our website.
If you support Crisis (for example if you volunteer, fundraise, donate or campaign for us) we collect and use personal information such as an individuals name, postal address, email address and phone numbers. We will also hold details of any donations or transactional services you may make with us, together with your marketing communications preferences. We will hold a record of our communications with you and any communications with us.
If our telemarketing partner - Ethicall - contacts you as one of our supporters, the calls are recorded and sent securely to Crisis. We can use these to confirm that you gave oral consent to update your marketing preferences.
Calls to our in-house supporter services team are not recorded, but our out of hours supporter service is managed for us by Angel Fulfilment Services and we can access these calls to assure the quality of the call, and to verify content where necessary.
If you have kindly added Gift Aid to a donation we must record the fact that you are a UK taxpayer. HMRC requires that we maintain a record of that Gift Aid for seven years after your last donation to us.
As a volunteer we ask for your personal contact information, and we ask for some (optional) information which we use to provide some equality and diversity information to make sure our Diversity and Inclusion Policy is working.
How does Crisis use personal information?
Crisis' main purpose is to run services that help people to get out of homelessness - for good. We can only manage that by raising funds from people who share our values and goals. As someone who donates to us we use your information to make sure you only hear about the areas of our work that you're interested in and support.
We do not believe in hiding how we work, and we aim to be totally honest, clear and transparent in everything we do. This includes how and when we collect personal information, where it is kept and how we make sure it is kept safe and secure. In the sections below we explain the different reasons why we collect this information. Your information might not be used for all the reasons below - it will depend on your relationship with us, whether you use our services, support us through our campaigns, appeals or fundraising activities, or donate your time as a volunteer.
Purpose and what this means:
Running Skylight services
If you access our Skylight services we will collect personal information about you. We use this to assess eligibility to services, and to make sure we support you in the best way possible. If you are joining Crisis as a member we will collect some information like contact details and whether you have any special health conditions we need to be aware of. We also collect some information like gender, or what languages you speak for inclusion purposes. We also collect some information (such as criminal convictions) to keep everyone safe. With your explicit consent we will share this information with local services who can also help you. We will only ever share information without consent if it is to protect the safety and well-being of someone we believe is at risk of harm, for legitimate police requests to support a serious criminal investigation, or if we are directed to share information by a court order.
Our Christmas Service
Each year we open centres across the country, bringing festive cheer, activities, good food, shelter and health-related support to homeless people (our guests) who join us for the Christmas period. When you join us as a guest at Christmas, we collect personal information (including some health information). This is to make sure we give you the best support, and also encourage you to start a longer-term relationship with us.
Fundraising and marketing
We use a range of fundraising and marketing activities as all major charities do, to raise income and promote our aims and goals. At Crisis we use a variety of marketing activities and channels like direct marketing, events, raffles, campaigns and appeals (in print, broadcast - TV and radio - and digital) to generate income, and encourage people to volunteer. This might include talking to you about these activities through our outbound telemarketing partner Ethicall. In partnership with GB Group PLC , Ethicall pass existing phone numbers to GBG to check the validity of the number before calling you.
Our Christmas appeal is the biggest appeal of our year. It gives us an opportunity to raise awareness about our year-round services and creates awareness about our campaigning and policy work to end homelessness for good. If you are a Crisis supporter we rely heavily on contacting you, and potential new supporters, by post to generate the funding we need to open doors for the thousands of people who turn to us, not only at Christmas but throughout the year. To achieve this Crisis rent contact lists through our creative partner organisation Catalyst to make sure we reach as wide an audience as possible.
Research and surveys
We welcome our supporters' views on the effectiveness of our services and our campaigning activities. We may therefore occasionally use the contact details we have for you to ask you to participant in on-line surveys and research to ensure that we are meeting your expectations in our efforts to end homelessness. To fulfil this we use an external service provider Typeform - an EU based company utilising Amazon Web Servers In the USA for data storage. All personal information has appropriate safeguards in place to protect in (pseudonymised) to meet GDPR requirements.
Wealth screening and financial profiling
Crisis does not routinely data-match to find out more information about you.
If you are a philanthropist – someone who is able to make larger gifts to us we may analyse the information we collect and use publicly available information to create a profile of your interests, preferences and level of potential future donations so that we can contact you in the most appropriate way. We will always tell you if we are holding additionally sourced information and we always respect your right to have this information deleted.
We use research bodies such as Factary to help research philanthropic giving to other organisations, and MINT UK and Mouseprice to identify individuals, trusts or companies with a philanthropic interest in our cause. This helps us to understand the philanthropic landscape better, to gain an understanding of which types of donors are giving, at what levels and to what causes. This helps us to shape our fundraising strategy.
What legal basis does Crisis use to collect personal information?
Crisis needs a lawful reason to collect and use personal information. The law names six legitimate ways that we can process personal data. Of those six, we consider that five of them can be applied to Crisis' operations:
- Information is processed on the basis of someone's consent
- Information is processed on the basis of a contractual relationship
- Information is processed for a legal obligation
- There may be occasions where information is processed to protect the vital interest of an individual
- Information is processed on the basis of the 'legitimate interests' of Crisis
Consent
As a supporter of Crisis we will always ask for explicit consent to send marketing and fundraising emails, and text messages. We will also ask if you want to be contacted by phone. All our telemarketing campaigns are checked with the Telephone Preference Service and Fundraising Preference Service to make sure that we do not make contact if you do not want to receive marketing communications from us.
Where we have rented contact lists from external agencies for our Christmas appeal we always check these against the Mail Preference Service and Fundraising Preference Service.
You can of course withdraw consent at any time by contacting our supporter services team on 08000 384838 or email supporter.helpline@crisis.org.uk
Legal obligation
If you have kindly added Gift Aid to a donation we must also process some minimal information for HMRC and hold this for seven years.
Legitimate interests
The law allows Crisis to legally collect and use (process) personal information if it is necessary for a legitimate business interest of the organisation. However it must be used in a fair and balanced way that does not impact on your rights. This includes using direct marketing for charitable purposes if there is a wider benefit to society. For Crisis this means that for our Christmas appeal we can lawfully write to you to encourage your support of our work.
Crisis processes personal information for this purpose and under this lawful basis, there may be times where the quality of the evidence of consent may not be as robust as in recent years. In line with best practice Crisis has, carried out a balancing test to reflect how we consider we may process information under this lawful basis, which you can read here.
You have the right to object to our lawful processing of your information. To let us know that you do not want to receive any more direct marketing please contact our supporter services team on 08000 38 48 38 or by email on supporter.helpline@crisis.org.uk
We have other legitimate interests holding and form processing. They are governance, publicity and income generation, operational management, financial management and control and for administrative purposes. There is more information about this below:
Governance:
- To help deliver our charitable aims (set out in our objectives)
- To report criminal acts and comply with law enforcement agencies
- Internal and external audit for financial or regulatory compliance purposes
- Statutory reporting for areas funded by the European Social Fund
Publicity and income generation:
- Direct marketing including supporter profiling for campaigns, generating income or charitable fundraising other forms of marketing, publicity or advertisement
- Exercising the right to freedom of expression or information, including in the media
- Data analysis and insight measurement, targeting and segmentation to develop corporate strategy and improve communication efficiency
- Processing for research purposes
Operational management:
- Employee and volunteer recording and monitoring for recruitment, safety, performance management or workforce planning purposes
- Providing and administrating of staff benefits such as pensions
- Physical security, IT and network security
- Maintaining of 'do not contact' lists (suppression files)
- Processing for historical, or statistical purposes
Financial management and control
- Processing financial transactions and maintaining financial controls
- Preventing fraud, misuse of services or money laundering
- Enforcing legal claims
Purely administrative purposes:
- Responding to any solicited enquiry from any of our stakeholders
- Delivering requested products or information packs
- Communications to members for appointments, classes, and health related appointments where appropriate in our Skylight centres
- Administering of Gift Aid
- 'Thank you' communications and receipts
When we use your information we will always consider if it is fair and balanced to do so and if it is within a supporter's reasonable expectations. We will balance your rights and our legitimate interests to make sure that we use your personal information in ways which are not unfair or unduly intrusive
The types of information you may share with us
We collect personal information that you share with us when you contact or interact with us through our website, email, phone, face-to-face, post and through our online and offline forms. You can decide not to provide certain information, or ask that any information that you have previously shared is removed - but only under certain circumstances. For example HMRC requires us to keep Gift Aid information for seven years. If this request is made, please be aware that you might not be able to take full advantage of our services or support our work to end homelessness.
For example, you might provide information to us when contacting customer service teams, making a donation, registering for an event, completing a survey, competition or questionnaire or updating your communication preferences. Through these interactions your name, address, email address, and contact number and payment information could be collected.
Crisis never sells or exchanges our supporter information with other organisations.
Do we process sensitive information
Supporter information
As a supporter it is less likely that we may process sensitive information - but we might if you are participating in an event or working as a volunteer in one of our shops, and we need to make sure we provide appropriate facilities to support specific health issues.
Credit or debit card information
As a supporter, if you use a credit or debit card to make a donation to us, your card details are processed through our payment-processing partner - Worldpay – as part of the payment process. We do this in accordance with the Payment Card Industry Security Standards. We also accept payments through Paypal.
Crisis also accept contactless donations using Liberty Pay where Allied Irish provide merchant bank services. In these instances, your card details may be transferred outside the EEA by the service provider. Please check their websites for further details.
For payment for goods at pop-up events, Crisis use Izettle to facilitate card transactions.
Where does the information we hold about you come from
Most of the information we hold is given to us directly by you during your interaction with our website, our services, or supporter activities such as fundraising. We may also receive your information when you donate to us through third party services like Just Giving, Virgin Money Giving, and Payroll Giving Agencies.
In some situations, we may update your information through other agencies; for example to check that we have a valid postal address, or to check whether you are registered on the telephone preference service or fundraising preference service
Crisis applies to trusts and foundations for funding towards our services. These organisations have been established to give grants and seek applications from charities that share similar values and goals. We research each organisation thoroughly before applying on either an invited or a speculative basis. In order to facilitate this process, we will retain contact details on our database. If a trust or foundation does not wish to support us at the time of application, we will retain these details for future applications. If any trust or foundation does not wish to be contacted now or in the future, we will respect their wishes - removing them from our active list and deleting all personal details.
Through our shops, Crisis has an ethical furniture range that is assembled in our Merseyside Skylight – purchases go towards giving a homeless person both the experience of working in a team environment, and also supporting our skylight centre activities. When you buy a piece of furniture we will collect your information to process the purchase and deliver the furniture where you have asked us to do this. We will not use your information for marketing purposes unless you have asked us to do this.
Where you ask us to deliver your furniture, we pass your contact details to our suppliers purely for this purpose.
How long do we keep your personal information
We only keep your information for as long as we need to, to be able to use it for the reasons given in this privacy policy.
In general terms we remove identifiable personal information from our records five years after the date of your last interaction with us. In most cases this represents seven years after the last financial transaction. There are two exceptions to this:
- Where someone has kindly left Crisis a gift in their Will. In these cases we will maintain our records of that pledge to carry out legacy administration and communicate effectively with the families of people leaving us a legacy.
- Where someone has kindly added Gift Aid to a donation to us, we are required by HMRC to retain those details for seven years after the last donation. If you request that we will delete your details, we must retain a minimum level of information to support this legal requirement from HMRC.
How can you change the way we contact you about our services and work
We will only send digital marketing communications when you have told us that you are happy for us to.
As a supporter you can change the way that we contact you in the following ways;
Opt-in/start contacting me:
If you hadn't previously asked us to send you marketing communications, you can ask us to start contacting you (sometimes called an "opt-in") by calling our supporter services team on 08000 38 48 38 or emailing us at supporter.helpline@crisis.org.uk.
Changing communication preferences:
If you have previously said that you would like us to contact you ("opted-in") but you want to change or update that, just call our supporter services team on 08000 38 48 38 or by emailing us at supporter.helpline@crisis.org.uk
Opt-out/stop contacting me:
If you want to stop receiving communications from us (sometimes called "opting out"), you can by calling our supporter services team on 08000 38 48 38 or emailing supporter.helpline@crisis.org.uk
What personal information does Crisis share with third parties?
Supporter information
Crisis doesn't share, sell or exchange your information with other organisations to be used for their own marketing communications. However, Crisis does use external service providers to support our telemarketing, postal campaigns and email communications for marketing purposes. In these circumstances, the relationship between Crisis and the external provider is governed by a contract and strict security requirements to protect personal information. Crisis ensures that where external suppliers sub-contract elements of their service to us, that the contractual requirements levied against the main contractor are cascaded throughout the supply chain.
We send you information about activities that you have expressed an interest in or we believe you may wish to support us with. To tailor these communications, we use a variety of both in-house and external analytic services. Some of these external analytic services are services provided outside of the UK but within the EU. Where this happens, we ensure that robust contracts are in place with appropriate data protection clauses that meet GDPR & DPA 2018 standards.
Transfer of personal information overseas
Under data protection law organisations that want to transfer personal data outside of the EU must assess whether the country the data would go to has an adequate level of protection for individuals. The European Commission decides whether countries are considered adequate, either partially or fully. Several of the contracted suppliers that Crisis works with store information outside of the EU. These are usually where we have embedded a data capture form in our website, and the data you enter is transferred securely to our overseas contractor for processing. Data is stored in both the USA and Canada through three key suppliers: Sendgrid (USA), Amazon Web (via Typeform) servers (USA) and Engaging Networks (Canada). The EU has published a partial 'finding of adequacy' for Canada which excludes not-for profit bodies, we therefore utilise the EU standard contractual clauses as a lawful basis to transfer information to our processor. Crisis also ensures that information is secure both in transit and at rest with the supplier – Engaging Networks.
For suppliers in the USA we rely on the legal framework of adequacy under the EU-US Privacy Shield. This is a binding legal instrument under European law which can be used as a legal basis for transferring personal data to the USA. The Shield contains many strong privacy requirements including the companies who receive data have an obligation to provide greater transparency about the processing they do, and tighter restrictions for forward transfers of that data. The Privacy Shield documents contain assurances from the US government that any access by their public authorities to personal data transferred under the Shield will be subject to clear limitations, safeguards and oversight mechanisms. Sendgrid's Privacy Shield registration can be found here.
How do we protect your information
We are committed to protecting your personal information. We use appropriate technical and organisational measures, including encryption, to protect personal information and privacy, and we review them regularly. We protect your information using a combination of physical and IT security controls, including access controls that restrict and manage the way that information and data is processed, managed and handled. We also make sure that our staff are adequately trained in protecting personal information.
Our procedures mean that we may sometimes ask for proof of identity before we share your personal information with supporters or members - for example when we contact you we will want to check that we are speaking to the owner of that personal information.
In the unlikely event of a security breach which compromises our protection of personal information, and we need to let you know about it, we will do so
What are my rights when it comes to data protection
Data Protection Rights
Where Crisis is using your information with consent you can withdraw that consent at any time. You also have the right to ask Crisis to stop using your information for direct marketing purposes. Just contact our supporter services team on 08000 38 48 38 or email supporter.helpline@crisis.org.uk.
Your rights are clearly laid out in data protection law, see below for more detail.
The Right to be Informed
You have the right to be told how your personal information will be used. This Privacy Policy document, and shorter summary statements used in our communications, is intended to be a clear and transparent description of how your information may be used.
The Right of Access
You can write to the Data Protection Officer asking for what information we hold about you and can request a copy of that information. The Data Protection Officer's contact details are at the top of this page. From May 2018, once we are sure you have the right to see the requested records (for example: We have confirmed that you are who you say you are) we will have one calendar month to comply.
The Right of Erasure (also known as the right to be forgotten)
You have the right to request that your information be deleted from our systems and databases but only in certain circumstances e.g. HMRC requires that we keep Gift Aid information for seven years.
If you have been kind enough to support us and have added Gift Aid to a donation in the past, Crisis has a legal duty to retain minimal information for HMRC for seven years after your last donation.
In many cases we would recommend that we suppress rather than delete your information completely, otherwise you may be contacted in error if your details are then given to us from a third party lead generation company.
The Right of Rectification
You have the right to ask that we correct and update factually inaccurate information that we may hold about you.
The Right to Restrict Processing
You have the right to request that we restrict the processing of your personal data in certain circumstances:
- When you are contesting the accuracy of the data we hold, and we are verifying the accuracy of that data.
- When you have objected to having your information processed under the lawful basis of legitimate interest, and we are considering whether our organisation's legitimate grounds override yours.
- When the processing is unlawful and you oppose erasure and request restriction instead. •Where we no longer need the information, but you have requested your data from us to establish, exercise or defend a legal claim.
The Right to Data Portability
You have the right to data portability. This means that you can ask for and reuse your personal information for your own purposes across different services. It has been designed to allow you to copy or transfer your information from one IT environment to another - for example from one banking service to another, or one utility provider to another.
The Right to Object
You have the absolute right to stop the processing of your personal information for direct marketing purposes, even in circumstances where we may be processing your information under the legitimate interest lawful basis.
You also have the right to object to your information being processed for secondary purposes e.g. data analytics and insight measurement, even in circumstances where we may be processing your information under the legitimate interest lawful basis. If you wish to exercise this specific right, please let us know on data.protection@crisis.org.uk
The Right to Object to Automated Decisions
You have the right to object to automated decisions where a someone (usually a Data Controller) is using your personal information in a computerised model or algorithm to make decisions “that have a legal effect on you”. This is more likely to be applicable to scenarios such as if you have applied for a mortgage or credit card and the decision is made automatically based upon your credit profile. Crisis does not do this kind of modelling.
Marketing and communication preferences
To help ensure our communications with you are relevant, we analyse geographic, demographic and other key characteristics and behaviours relating to you; as well as your previous responses to our marketing communications. This helps us to personalise and improve your supporter experience with Crisis and minimise wastage. Some of this analysis is based on data provided by you and some of this is provided by external organisations.
We only want to send communications that are of genuine interest and relevant to you. You are in control of how we use your personal information for marketing and fundraising purposes. Simply call our supporter service team on 08000 38 48 38, and you can update information about how we contact you, how often and what the types of fundraising communications that you receive. Alternatively, email supporter.helpline@crisis.org.uk or use our website to contact us.
Facebook Marketing
You may come across Crisis naturally on Facebook through your own networks, or you might be presented with a promoted advert from us. We use targeting advertising on Facebook which allows people who are interested in our work to connect with us and become a supporter. We do this to inform, educate and engage new potential supporters.
We may provide your email address, mobile number and address to Facebook, so they can determine whether you are a registered account holder with them. Our adverts may then appear when you access Facebook. Facebook deletes that data that we provide them in an encrypted format if it does not match with an account.
Facebook is a hugely valuable tool for us and the community that we serve, which is why we use it as a platform. Facebook is a commercial company however. We want to remind our supporters and users that information shared on timelines, on our page or in private messages may be used and sold by Facebook for commercial purposes.
Cookies
Crisis uses resident cookies to store data on the hard disk of computers, tablets, and other mobile devices to identify when you return to our website. If a person has cookies disabled in their browser, they are still able to use our website. Crisis uses session cookies to store data on our server, which is individually identifiable. This means that a session cookie could be stored on your machine and will expire once that visit to the Crisis website has ended. The Crisis website functionality is dependent on accepting session cookies. Crisis tracks visitors to and on the Crisis website by using referrer tracking. Crisis uses click through and open mail tracking when sending emails. This gives Crisis the ability to tailor future email communications.
By using our website, our social media pages (such as LinkedIn, Facebook, Twitter, and YouTube), subscribing to our services, and donating to us, you agree that, unless you have set your computer's browser to reject them, we can place temporary session cookies on that device and use that data in accordance with this policy.
For more details on our cookie policy and a description of the cookies we use please see our cookie policy. For more details on Shopify's cookie policy and a description of the cookies they use please see their cookie policy.
What to do if you are not happy
In the first instance, please talk to us directly so we can help resolve any problems or queries. Our supporter services team can help on 08000 38 48 38, or you can contact our Data Protection Officer using this email address data.protection@crisis.org.uk. You can also register with the: • Fundraising Preference Service (FPS). This service is run by the Fundraising Regulator and allows you to stop email, telephone, addressed post, and/or text messages from a selected charity. Use the link above, or you can call them on 0300 303 3517. Once you have made a request through the FPS, we will ensure that your new preferences take effect within 28 days. You also have the right to contact the Information Commissioners Office (ICO) if you have any concerns about how your information has been handled. You can use the link above or call them on 0303 123 1113.
contact our Data Protection Officer using this email address data.protection@crisis.org.uk. You can also register with the: • Fundraising Preference Service (FPS). This service is run by the Fundraising Regulator and allows you to stop email, telephone, addressed post, and/or text messages from a selected charity. Use the link above, or you can call them on 0300 303 3517. Once you have made a request through the FPS, we will ensure that your new preferences take effect within 28 days. You also have the right to contact the Information Commissioners Office (ICO) if you have any concerns about how your information has been handled. You can use the link above or call them on 0303 123 1113.