Data Protection & Privacy Policy

This policy document sets out how Unique collects, stores and uses the personal data you share with us, for example when you join us as members, fundraise for us, make donations or volunteer with us. It describes the information we collect, how long we will retain it for, who will have access to it and your rights, such as your right to access the information we hold about you.

Policy Summary

Please read our policy setting out how Unique collects, stores and uses the personal information you share with us. It describes what information we collect, how long we will retain it for, who will have access to it and your rights. This is a summary of the policy:

• We collect personal information when you join us as family members, including you, your family member with a rare chromosome disorder and other members of your immediate family. This includes health information. This is to enable us to provide support services relating to rare chromosome and gene disorders and to communicate with you.
• We collect personal information when you join us as professional members, e.g. clinicians and social workers, eg contact details, workplace and specialism.
• We collect information about our supporters, fundraisers and volunteers to enable us to contact you about your fundraising, donations, volunteering and buying merchandise and to meet our legal requirements to maintain accurate financial records.
• You may also give us your permission to contact you separately about topics such as fundraising, awareness-raising, volunteering.
• We only collect the information we need to provide the best possible service to our members. Information you provide may also benefit other member families.
• Data provided when you join Unique as members is stored for the duration of your membership. Other data, such as financial records of donations or standing orders, as retained as long as is necessary to meet our legal requirements. For purposes other than our support services (e.g fundraising, volunteering) we will seek to check your consent (to contact you) every three years.
• We protect the security of the data you provide us, including using the latest encryption technologies and secure backups. Our IT contractors have robust policies in place and we would be happy to share these with you on request.
• We will never sell or otherwise share your personal data with third parties for marketing purposes. Personal (i.e. identifiable), data would only be shared for other purposes if we were required by law to do so or we had your explicit, express consent. Any third parties we work with are contracted to keep your data secure and treat it in the strictest confidence, using the latest security.
• We use the data we hold on family members and their RCDs and their effects in anonymous format to research and write guides, provide support and information to other members and clinicians and for research into and raising awareness of RCDs.
• Only designated staff members can access members’ health information.
• You have a number of rights, including the right to access the data we hold about you and the right to ask us to delete all data we hold about you at any time.
• We may change this policy from time to time, e.g. to reflect changes in the law or guidelines from appropriate regulators. Please check our website (rarechromo.org) regularly for details of any changes

Full Data Protection & Privacy Policy

Purpose

This policy outlines Unique’s commitment to data protection and compliance with the UK Data Protection Act.  The purpose of this policy is to ensure that all personal data held by the charity is processed lawfully, fairly, and transparently, and that the rights of data subjects are protected. This policy applies to all individuals working on behalf of Unique, including trustees, staff, and volunteers as well as members and non-members of Unique who use our services.

Responsibilities

Unique’s Data Protection Lead is Louise Jeffree, who will be responsible for overseeing data protection and leading on any incident investigation and reporting. The Data Protection Lead will also ensure that all staff and volunteers are provided with any induction, on the job or other training and made aware of their data protection responsibilities.

Data Protection

Data protection is the practice of safeguarding personal information by applying data protection principles and complying with the Data Protection Act. The Data Protection Act is a UK law that regulates the processing of personal data. The UK Information Commissioner’s Office (ICO) provides guidelines on data protection that Unique will follow.

Unique’s Data Protection Principles

•  Data is processed lawfully, fairly and in a transparent manner 

  • There are several grounds on which data may be collected, including consent.

  • We are clear that our collection of data is legitimate, and we have obtained consent to hold an individual’s data, where appropriate.

  • We are open and honest about how and why we collect data and individuals have a right to access their data.

• Data is collected for specified, explicit and legitimate purposes and not used for any other purpose

  • We are clear on what data we will collect and the purpose for which it will be used and only collect data that we need.

  • When data is collected for a specific purpose, it may not be used for any other purpose, without the consent of the person whose data it is.

• Data is adequate, relevant and limited to what is necessary

  • We collect all the data we need to get the job done and none that we don’t need.

• Data is accurate and, where necessary, kept up to date

  • We ensure that what we collect is accurate and have processes and/or checks to ensure that data which needs to be kept up-to-date is, such as beneficiary, staff or volunteer records.  We will contact you periodically to ask you to update us about the data we hold in our registry.

  • We correct any mistakes promptly and erase any data on request.

• Data is kept for no longer than is necessary. We understand what data we need to retain, for how long and why

  • We only hold data only for as long as we need to. As the conditions we support are lifelong conditions, we will store and process your data for as long as you are a member of Unique.

  • That includes both hard copy and electronic data.

  • Some data must be kept for specific periods of time (eg accounting, H&SW).

  • We have some form of archive/review policy/process that ensures data no longer needed is destroyed.

• Data is processed to ensure appropriate security, not only to protect against unlawful use, but also loss or damage

  • Data is held securely, so that it can only be accessed by those who need to do so. For example, paper documents are locked away, access to online folders in shared drives is restricted to those who need it, IT systems are password protected, and/or sensitive documents that may be shared (eg payroll) are password protected.

  • Data is kept safe. Our IT systems have adequate anti-virus and firewall protection that’s up-to-date.  Staff understand what they must and must not do to safeguard against cyber-attack, and that passwords must be strong and not written down or shared.  

  • Data is recoverable. We have adequate data back-up and disaster recovery processes.

Individual Rights

We recognise that individuals’ rights include the right to be informed of access, to rectification, erasure, restrict processing, data portability and to object.  We will respect the privacy and contact preferences of our donors. We will respond promptly to requests to cease contacts or complaints and act to address their causes.

Member Families:

When families join Unique, we collect information from them about affected family members which includes sensitive personal and health data and information regarding schooling, social care visits and treatments.  Members choose to give us this information and can ask us to remove it from our records at any time.  We also collect some personal data from professionals so we can register them with Unique.  We ask members and non-members for consent for us to communicate with them about topics such as awareness raising, fundraising and volunteering.  This consent can be revoked at any time by emailing help@rarechromo.org or phoning 01883 723356.

Under the Data Protection Act 2018, (Schedule 1, Part 2, Paragraph 16) concerning  ‘Support for individuals with a particular disability or medical condition’, patient support groups such as Unique can continue processing data in special categories such as health information and genetic/biometric data, outside of the usual consent requirements, when in the public interest. This means that once we have your consent to process the data you provided us when you joined as Unique members, we will continue to process these data until you tell us otherwise. For further information on the Data Protection Bill, please see www.legislation.gov.uk or www.ico.org.uk

Employees/Trustees:

We hold personal information about our current and past employees and trustees.  This enables us to meet our legal requirements in relation to employment and charity governance and take decisions on employee and trustee recruitment and employment, future strategy and to enable us to further our charitable aims.

Financial Records:

Unique is required to collect information about our sources of income in order to produce accurate financial statements and to comply with the law relating to the retention of financial data.  When someone makes a donation via our website or otherwise, we are required to collect personal information to enable us to process that transaction, some of which is shared with our secure payment partners (Paypal, Worldpay, Facebook etc) in order for them to effect the transaction.  Your card details are only stored on the secure sites of the payment partner depending on the method you use to donate.  Similarly, if you use an online fundraising partner such as Just Giving or Much Loved, your data is held with them, and you will be asked to consent to them sending some of that data to Unique for our financial record keeping purposes.  If you complete a Gift Aid Declaration, this will be retained by Unique for HMRC purposes to comply with our legal requirements.

Fundraising & Volunteering Records:

When you fundraise or volunteer for Unique, we collect and store your contact details as well as any other information you provide voluntarily such as your reason for fundraising/volunteering.  When contacting us about fundraising, we will store emails you send us and will record in written/note form details of telephone conversations, in order that we can help your fundraising. We will also direct you to our chosen online fundraising partners such as Just Giving or Enthuse, who will collect your personal information when you set up an online fundraising page to collect sponsorship.

We collect this information to enable us to send administrative messages, to thank and support you, send you fundraising materials and contact you in case of query. This information also enables us to meet our legal requirements to accurately produce accounts/financial statements/gift aid.

We will ensure that our fundraising complies with the Data Protection Act and ICO guidelines and also the Fundraising Regulator guidelines including, if applicable, direct marketing and The Privacy and Electronic Communications Regulations.  We will respect the privacy and contact preferences of our donors.

Browsing the Unique Website:

We collect anonymous, non-personal information about the users of our website which helps us improve the user experience on our site.  We also make use of cookies. A cookie is a series of characters that is generated by our website and stored on your computer when you visit our site.  The cookie does not track your movements on other websites. You do not have to accept our cookie in order to be able to use our website.

Keeping your data safe:

Working with our IT contractors, we have implemented technology and policies to protect your privacy from unauthorised access and improper use. This includes use of the latest encryption technology. These are constantly kept under review and will be updated as new technology becomes available and to comply with legal requirements. Health information we collect and store is classified as sensitive under the GDPR and therefore has a higher level of security.

Data provided as part of your Unique membership is stored securely on a server in the United Kingdom. Regular back-ups of data are taken at secure facilities, arranged by our IT contractors and also located in the United Kingdom. Any paper records are stored securely in the United Kingdom.

We have a contractual relationship with a provider of bulk email, survey and event registration services and store limited data (email addresses, not health or other sensitive data) on their secure servers located in the USA to enable us to communicate with you cost effectively.

While we cannot absolutely guarantee that loss, misuse or alteration of data will not occur, we use our very best efforts to prevent this.

Who can access your data?

Our members of staff have access to your basic personal information but only those staff members who require access to carry out their job roles are able to access members’ medical/health information.

If you are Unique members, where we have your express consent to do so and in a manner of your choosing, collected at the time you join us as members or at any later date, your data may be disclosed only to other registered Unique members as part of our family matching service. This is in order that you can contact other families for the purposes of sharing information and mutual support.

We may use third party companies to provide services on our behalf. This could include services such as bulk email services, packaging, mailing and delivery companies.  We will only provide those third parties with the information they need to deliver the service, and they are prohibited from using it for any other purpose. We require all third parties to treat your personal information as fully confidential and to comply with all applicable UK Data Protection and consumer legislation.

Your Rights

Under the GDPR, individuals have a number of rights concerning their personal information and we will adhere to these:

You have the right to be informed about how and why we collect, store and use your information. We will do this when we collect your information, e.g. when you join us as members or when you sign up to receive emails through our website. This policy is available on the Unique website or as a hard copy by request.

You have the right to access the personal information we hold about you. You can request this verbally or in writing and when we receive such a request we will endeavour to respond quickly but within a maximum of one month. This is called a Subject Access Request (SAR) and there is no charge. Following this you have a right to request that any data held about you that you feel is inaccurate is rectified or completed if incomplete. You also have the ‘right to be forgotten’, i.e. for all data we hold about you to be erased and also to require us to restrict or ‘suppress’ how we use your data (you might for example be happy for us to store it but not process it for certain purposes). Again, we will respond as quickly as we can to such requests but within a maximum of one month.

To make a request, for example to access the information we hold about you, call +44 (0)1883-723306 or email help@rarechromo.org.

Use of Imagery/Video

All imagery is protected by copyright and cannot be used without the consent of the owner, usually the person who took the image.  For this reason, Unique will always obtain consent from the owner and any other persons in the image where reasonably possible before using it.  We consider the following before use:

• For what purpose was the original image taken? If it was for one purpose, such as personal use, it cannot be used for another without the consent of the individuals concerned

• Is the image sensitive personal data? If it is, we need the individual’s consent

• When using images of children, or other vulnerable people, we need valid consent and will only use if confident the use of the image will not place them at risk.

• When photographing large groups, individuals should be given a chance to opt out of the photograph

• Has the person/people in the image been told how the image will be used?

Data Breach

A breach is more than only losing personal data.  It is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. 

We will investigate the circumstances of any loss or breach, to identify if any action needs to be taken.  Action might include changes in procedures, where there will help to prevent a re-occurrence or disciplinary or other action, in the event of negligence.

We will notify the ICO within 72 hours, of a breach if it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed such a breach is likely to have a significant detrimental effect on individuals. For example:

• Result in discrimination.

• Damage to reputation.

• Financial loss.

• Loss of confidentiality or any other significant economic or social disadvantage.

Other Policies

Policies that reference this one include:

• ICT & Acceptable Use Policy

• Safeguarding Policy

Changes to this Policy

We may make changes to this policy from time to time, for example to update it to reflect changes in the law or guidelines from appropriate regulators such as the Information Commissioner (www.ico.org.uk). Please check our website (www.rarechromo.org) regularly for details of any such changes.

Any questions?

If you have any questions or concerns about how we protect your personal information, please contact us.

Unique – Rare Chromosome Disorder Support Group
The Stables
Station Road West
Oxted
Surrey
RH8 9EE
United Kingdom

Telephone: +44 (0)1883-723306
Email: help@rarechromo.org

Last edited 14/11/2025 by Louise Jeffree, Finance & Ops Manager and Company Secretary.