This privacy statement tells you what to expect when we collect personal information.
Who are we?
In this policy, whenever you see the words ‘we’, ‘us’ or ‘our’, it refers to Epilepsy Action (a working name for British Epilepsy Association) and BEA Trading Limited.
BEA Trading Limited sells a range of goods and enters into corporate partnership arrangements. All of its profits are passed to Epilepsy Action (a working name for British Epilepsy Association). The company is wholly owned and controlled by British Epilepsy Association.
Your acceptance of this policy
By using our websites, social media pages, entering a competition or providing your information you consent to our collection and use of the information you provide in the way(s) set out in this policy. If you do not agree to this policy please do not use our sites, social media pages or services.
Changes to this privacy statement
We regularly review our privacy statement. Any updates will be posted on our website and will apply from when they are updated on the website. Supporters that we are in contact with will be informed if there are major changes.
What is personal data?
‘Personal data’ means any information that identifies a living person. This can include name, address, phone number or email address.
It also covers our use of any personal information you provide to us. This may be by phone, text message (SMS), email, social media, letter and other correspondence, and in person. It can include IP addresses and other technical identifying information.
What is sensitive personal data?
‘Sensitive personal data’ means information about someone that may include their physical or mental health or condition. For example, this might include their epilepsy status, their age or ethnicity.
- People we collect information on
- Why we hold your data
- How we collect data
- Complying with the Data Protection Act
- Marketing communication preferences
- Note on email marketing
- Social media
- Building profiles of supporters and targeting communications
- Giving your data to other organisations
- Sensitive data
- People who call our helpline
- Job applicants, current and former Epilepsy Action employees
- Your data on our website
- Website hosting
- Spam prevention using a third-party system
- People who contact us through social media
- Children’s data
- Accessing information held about you
- Changing your communication preferences
- Asking for your data to be deleted
- The remit of this policy
- How to contact us
People we collect information on
We need to collect and use your personal data if you contact us for any reason, including if you are a:
- Member of Epilepsy Action.
- Member of our online community.
- Someone who uses our advice and information services.
- Visitor to any of our websites.
- Someone who contacts with us through social media platforms.
- Someone who buys goods from our trading company, BEA Trading Ltd.
- Volunteer or prospective volunteer.
- Donor or someone fundraising for us.
- Employee or prospective employee of Epilepsy Action.
- Supplier or prospective supplier to Epilepsy Action.
- Journalist, member of the media or someone who publishes or broadcasts to the public.
- MP, other parliamentarian or representative including councillors.
- Person within the epilepsy community who works with us. This can include health and social care professionals, commissioners and officials of government and other similar departments.
- Person from an organisation that wishes to work with us or ask us for support or information (including, but not limited to, charities, schools, companies).
Why we hold your data
We hold your details to:
- Communicate with you as a supporter and service user.
- Respond to your enquiry or request for information.
- Provide you with the service or membership you have requested.
- Process sales or donations and verify financial transactions.
- Manage orders, deliver items you have ordered and communicate with you about your order.
- Keep a record of any contact we have with you.
- Prevent or detect fraud.
- Enable third parties, working for us, to carry out technical or logistical functions for us.
- To carry out research on the demographics, background and interest of our supporters and users of our services. This is to get a better understanding of them and improve our services.
- Tell you about the things you have told us you are interested in – if you have given us permission to.
- Help you with any problems you may be experiencing with a form or our website. We may also do this if you enter your details onto one of our online forms, and you don’t ‘send’ or ‘submit’ the form.
How we collect data
We may collect and store information about you whenever you interact with us. For example, when you make a donation, register for an event or submit an enquiry. Other examples include if you register for our services, apply for a job or volunteering opportunity, or otherwise give us any other personal information.
We may also receive information about you from third parties for a specific purpose. However, this will only happen if you have given them permission to share your information.
Complying with the Data Protection Act
Data Protection Act principles require Epilepsy Action to process personal data fairly and lawfully. We will offer you choices about the way you are contacted. We will also be clear about how we will use your information. We will make sure that the reason for collecting information is lawful.
As required by law, Epilepsy Action has informed the Information Commissioner’s Office (ICO) why we collect and process data.
We only hold data about you that is enough for our purpose, nothing more.
We work to make sure the data we hold is accurate and up to date. Accuracy is checked when data is recorded, for example through Royal Mail postcode files.
We only hold personal data as long as necessary. However, we may need to keep personal data from you even if you have requested no further contact. This is so that we can make sure we don’t contact you about an activity. For example, it means we won’t include you when we send promotional communications to people in a particular geographic area.
We have systems in place to safeguard your personal data. Access to written and electronic personal data is restricted and has a level of security depending on the sensitivity of the data. No sensitive data linked to a person’s name or address is taken off-site from our offices unless it is either password protected or encrypted.
Marketing communication preferences
If you have given us permission to contact you about epilepsy news and information, our work or ways to support us, we will make sure that you can opt out of receiving marketing communications. At the first reasonable opportunity, you will be offered the chance to opt out of hearing from Epilepsy Action and its trading company. You will be able to say ‘no’ to contact by mail, telephone, text or email.
If at a later date you complete another form, giving different contact preferences, we will use those you have given most recently.
Every time we contact you in the future we will give you the chance to update your communication preferences.
Note on email marketing
Emails and text messages are also covered by the Privacy and Electronic Communications Regulations. Every time your email address or mobile telephone number is recorded, you will be offered email / text updates. You will have to tick a box to agree to your details being used for marketing emails / texts.
Also, any marketing emails / texts sent by Epilepsy Action will include the opportunity to unsubscribe from future emails / texts.
We may use your details to contact you with updates and information relating to your fundraising. This depends on your own privacy settings for social media and messaging sites such as Facebook, WhatsApp and Twitter. We will only do this for events you have expressed an interest in, or registered for. We may also use your details to promote other activities or events on social media platforms. To control these adverts you should amend your social media platform settings.
Building profiles of supporters and targeting communications
We may use profiling and screening techniques to ensure communications are relevant and well timed. We may also use them to provide an improved experience for our supporters. Profiling also allows us to target our resources effectively. We do this because it allows us to understand the background of the people who support us. This helps us to make appropriate requests to supporters who may be able and willing to give more than they already do. It also helps us to raise more funds, sooner, and more cost-effectively, than we otherwise would.
When building a profile we may analyse geographic, demographic and other information relating to you. This is so we can understand your interests and preferences better in order to contact you with the most relevant communications. In doing this, we may use additional information from third-party sources when it is available. This information is gathered using publicly available data about you, for example addresses, listed directorships or typical earnings in a given area.
Giving your data to other organisations
We use third parties to handle some of our services on our behalf, as allowed under the Data Protection Act. These organisations are only allowed to use your personal information for the specific purpose they have been contracted for. For example, this could be to send a letter to you or process your direct debit.
We only transfer data outside the European Economic Area when in compliance with the conditions for transfer set out in Chapter V of the GDPR.
We always transfer your personal data securely – through a secure FTP (File Transfer Protocol) website, or as a password-protected file.
Unlike some organisations, we will never swap or sell your data to another organisation for them to use for marketing purposes.
If you contact our helpline we may record the following.
- Your interests in epilepsy and what affects you in your daily life. This helps us to monitor the demand for our services. It also helps us to plan the future content of our information booklets, fact sheets and web pages.
- Your age, epilepsy status and ethnicity. This helps us to identify trends in the range of people using our services and to plan improved access to them.
If you join Epilepsy Action as a member or use some of our services such as training courses, branches or others, we may record the following.
- Your age, epilepsy status and ethnicity. This helps us to identify trends in the range of people using our services and plan to improve access to them.
If you support our work as a media volunteer, we may record the following information – but we will never share it without your consent.
- Information about your epilepsy and the way it impacts on your day-to-day life.
- Information like your age and your personal experiences, to help us to match your story with media enquiries or our campaigns.
Some of this is classified as “sensitive data” (and is subject to additional Data Protection regulations). We will ask for your explicit consent to record and process sensitive information.
We have legally-backed reasons for collecting sensitive data. It helps us to achieve one or more of our charitable aims. For example, we can target membership benefits. None of this data will be used in a way that could harm you as an individual.
Emergency contact details
If you attend an Epilepsy Action event and provide us with emergency contact details you must confirm that you have the permission of the person whose details you provide has given permission for you to give us the information.
We will delete the emergency contact details as soon as practical after the event has ended.
Use of media and consent
Media consent applies to
- Video footage
- Still images taken from video
- Sound recordings
- Quotes and case studies submitted (spoken or written, including web form submissions)
It applies whether or not Epilepsy Action took the material, commissioned it or it was submitted by a third party.
If you give consent to the use of media Epilepsy Action may use it as follows
- on the Epilepsy Action website or other websites
- on social media and video-hosting platforms (for example Twitter, Facebook, Instagram and YouTube)
- in Epilepsy Action information materials, such as leaflets, presentations, posters or fundraising material
- for broadcast and radio interviews
- for written press articles
Expiry of consent
- Material will only be used, printed or published for as long as consent has been given.
- Consent can be withdrawn at any time in which case every effort will be made to withdraw from use and they will not be used in the future.
- Consent will be normally for five years but may be renewed by you.
- After expiry of consent photographs, videos or audio recordings etc will be
- Deleted from photographic libraries or other storage and not reused in publications etc.
- Withdrawn from use from web use and other similar environments.
- Epilepsy Action is unable to guarantee that we can withdraw from use images, videos or quotes that have been published prior to withdrawal of consent although all reasonable steps will be taken to do so.
Epilepsy Action will take all reasonable steps to make sure that content used for our web sites, publications and materials is not used by third parties without our permission. However, we cannot guarantee that third parties will always request our consent
At some of Epilepsy Action events other photographers not employed or associated with Epilepsy Action may take and distribute photographs etc. These may be journalists, other event attendees or casual passers-by. The use of these images etc are beyond Epilepsy Action’s control.
People who call our helpline
When you call the Epilepsy Action Helpline, we offer a translation service for customers if English is not your first language. This is provided by a third-party company. The company that provides this service does not keep any information from the calls or record them.
Job applicants, current and former Epilepsy Action employees
When people apply to work at Epilepsy Action, we use the information they supply to us to process their application and to monitor recruitment statistics. When we want to disclose information to a third party, we will not do so without telling the person in advance unless the disclosure is required by law. For example, we may need to take up a reference or obtain a ‘disclosure’ from the Disclosure and Barring Service.
Personal information about unsuccessful candidates will be held for 6 months after the recruitment exercise has finished. It will then be securely destroyed or deleted. We keep de-personalised statistical information about applicants to help inform our recruitment activities. However, no individuals can be identified from that data.
Once a person has taken up employment with the Epilepsy Action, we will compile a file about their employment. The information in this file will be kept secure and will only be used for purposes directly relevant to that person’s employment. Once their employment with Epilepsy Action has ended, we will keep the file as required by our retention schedule and then securely destroy or delete it.
Your data on our website
If you use any of the email facilities or forms on any of our sites, we will capture your email address, your name and, where relevant, your postal address. This means we can respond to your request, enquiry or order. We will ask if you want to opt in to being contacted in the future by mail, telephone, email or text.
If you use any of the secure forms on our sites, your credit card information is only used to complete that transaction. All such forms are secure and cannot be accessed by anyone other than the members of staff involved in completing the transaction.
We use standard third-party web analytics services (such as Google Analytics) to collect anonymous information about your computer, including your IP address, operating system and browser type. This includes for example the number of users viewing pages on the site, but it does not identify you individually. This means we can monitor and report on the effectiveness of the site and help us improve it. If visitors want to post a comment on our sites, we require visitors to enter a name and email address.
We may temporarily retain any data that you provide on the website if you place an order through our shop, even if you do not complete your order. Such contact details and data may be used to contact you to enquire if you require any assistance with your order but for no other purpose.
We use a third-party provider, Technology Trust, to deliver our e-newsletters. We gather statistics around email opening and clicks using industry standard technologies. This includes clear gifs to help us monitor and improve our e-newsletter.
We use third-party services to host our websites. These sites are hosted at:
- Amazon Data Services Ireland Ltd, operated on our behalf by Ixis IT Ltd
- Rackspace Ltd, operated on our behalf by QWeb Ltd and Muchloved Charitable Trust
- Krystal Hosting Ltd
- 34sp.com Ltd
- Shopify Inc.
- NFSN Inc (no personal data is stored on this server)
Spam prevention using a third-party system
We use web services (such as Mollom) to analyse the quality of content posted to our websites by users. This includes comments, forms, blogs and forum posts. They screen people’s contributions before they are posted and prevent spam. The contents of the form (including your personal data) and other information (such as IP address, operating system and browser type) are passed to these third-party systems. This enables them to decide whether the content is posted by spammers or similar. They will only use your information for this purpose.
People who contact us through social media
We use third-party providers Hootsuite and Tweetdeck to manage our social media interactions.
If you send us a private or direct message through social media, the message will be stored in line with our data retention policy. It will not be shared with any other organisations.
If a child under 16 joins Epilepsy Action or takes part in an event, we will keep their information to service their membership or the event. If a child uses the helpline or uses any other email facility to contact us, their information will only be used to deal with their enquiry.
We recognise the need to protect the privacy and safety of children under 16. We generally use photographs of models wherever possible and only use images of real children and their names where this is necessary in context.
Parental permission will have been obtained to use the image, and, in the case of children 13 and over, we also ask for the child’s permission.
Accessing information held about you
Epilepsy Action will assist you if you want to see the information we hold about you. A request should be made in writing, by letter or by email, to firstname.lastname@example.org. In most cases, we will reply to a request within a month. We may need to extend this period for particularly complex requests.
Incorrect data can be changed, blocked or destroyed.
You also have a right to prevent us processing your data for marketing or if it is likely to cause distress.
If you have already requested and received this information, there will need to be a reasonable period of time before you can request the information again.
Changing your communication preferences
You can change your communication preferences at any time. You can choose whether we contact you by mail, telephone, email or text message. You can also choose whether or not you receive information on certain activities of Epilepsy Action, such as appeals, campaigns and raffles. Just contact us – by phone on 0113 210 8800, in writing or by email to email@example.com or visit epilepsy.org.uk/contact
Asking for your data to be deleted
You can ask Epilepsy Action to stop using your personal data at any time. However, we usually keep the personal data of people who have requested no further contact. This is so that we can make sure we don’t include them in any activity aiming to recruit new supporters.
The remit of this policy
This privacy notice does not cover information gathered on other websites outside our control.
How to contact us
Requests for information about our privacy statement can be emailed to the supporter care team at:
or by writing to:
Data Protection Compliance Team
New Anstey House
Gate Way Drive
For a more detailed list of what information we collect and how it is used you can visit the Information Commissioner’s Office (ICO) website and view our registry entry. Our registration number is Z4605447