1. Introduction
At Amyloidosis UK, we are committed to protecting and respecting your privacy. This policy explains:
- when and why we collect personal information about people who visit our website or engage with our services;
- how we use it, and the conditions under which we may disclose it to others;
- how we keep it secure;
- your rights in relation to that information;
- the responsibilities of our staff, volunteers and trustees.
As a patient-focused health charity, we regularly handle sensitive personal information, including health-related information (“special category data”). We recognise the importance of maintaining your trust and ensuring compliance with:
- UK GDPR
- Data Protection Act 2018
- Privacy and Electronic Communications Regulations (PECR)
- Charity Commission guidance
- Information Commissioner’s Office (ICO) guidance
We may update this policy from time to time. Please check this page occasionally to ensure that you are happy with any changes. By using our website, you agree to be bound by this policy.
If you have any questions, please contact us at: info@amyloidosisuk.org
2. Scope
This policy applies to:
- trustees
- employees
- volunteers
- contractors and consultants
- anyone processing personal data on behalf of AUK
It applies to all personal data processed electronically, on paper, verbally or otherwise.
3. Key Principles
AUK will comply with the UK GDPR data protection principles, ensuring personal data is:
- Lawful, fair and transparent — we will clearly explain how data is used.
- Collected for specified purposes only — we will only use personal data for legitimate charity purposes.
- Adequate, relevant and limited — we will only collect information we genuinely need.
- Accurate and kept up to date — we will take reasonable steps to correct inaccuracies.
- Stored only as long as necessary — we will follow documented retention periods.
- Secure — we will protect data against unauthorised access, loss or misuse.
- Accountable — we will maintain records and demonstrate compliance.
AUK will appoint a Data Protection Officer responsible for ensuring compliance with this policy, data protection law and UK GDPR.
4. How We Collect Information
We obtain information about you when you use our website — for example, when you complete a contact form, registration form, or any other form within our site.
5. Types of Data We May Process
Personal Data
Examples include:
- names, addresses, email addresses and telephone numbers
- IP address and information about pages accessed and when
- donation history
- volunteer records
- event registrations
Special Category Data
As a health charity, AUK may also process:
- health and diagnosis information
- patient support needs
- accessibility requirements
- ethnicity data (where relevant)
- safeguarding-related information
Health information is classed as “special category data” under UK GDPR and requires additional protections, including stronger justification for data collection, stronger safeguards, accountability and security protections.
6. Lawful Basis for Processing
AUK will only process personal data where there is a lawful basis under Article 6 UK GDPR. For further information see
ICO guidance on lawful basis: ico.org.uk — A Guide to Lawful Basis
| Purpose | Lawful Basis |
| Charity administration | Legitimate interests |
| Delivering patient support | Legitimate interests / vital interests |
| Donations and fundraising | Legitimate interests / consent |
| Employment administration | Legal obligation / contract |
| Safeguarding | Legal obligation / vital interests |
| Medical or health-related support services | Explicit consent or not-for-profit condition |
Where special category data is processed, AUK will also identify an Article 9 condition. For further information:
ICO guidance on special category data (Article 9)
Examples of Article 9 conditions AUK may rely on include: explicit consent, not-for-profit body condition, vital interests, health or social care purposes, and substantial public interest.
AUK will document our lawful basis before processing begins.
7. Consent
Where consent is used as the lawful basis, it must be:
- freely given
- specific and informed
- unambiguous
- easy to withdraw
For health data or marketing communications requiring consent, AUK will seek explicit consent where required by law. AUK will maintain records of consent.
8. How Your Information is Used
We may use your information to:
- respond to queries raised via the contact form;
- carry out our obligations arising from any contracts entered into with you;
- seek your views or comments on the services we provide;
- notify you of changes to our services;
- send communications you have requested or which may be of interest to you, including information about campaigns, appeals, fundraising activities, and promotions.
We review our retention periods for personal information on a regular basis. We will hold your personal information on our systems for as long as is necessary for the relevant activity, or as long as is set out in any relevant contract.
9. Fundraising & Marketing
AUK may contact supporters by post, phone, email or SMS in accordance with UK GDPR and PECR. AUK will:
- provide clear opt-out mechanisms;
- honour unsubscribe requests promptly;
- avoid excessive or intrusive communications;
- never sell personal data;
- only share supporter data where lawful and transparent.
We will not contact you for marketing purposes by email, phone or text message unless you have given your prior consent. We will not contact you for marketing purposes by post if you have indicated that you do not wish to be contacted.
You can change your marketing preferences at any time by emailing: info@amyloidosisuk.org
All marketing activity will be proportionate, ethical and aligned with Charity Commission expectations regarding public trust.
10. Data Sharing
We will not sell or rent your information to third parties. We will not share your information with third parties for marketing purposes.
AUK will only share personal information where there is a lawful basis, it is necessary, and appropriate safeguards are in place. Data may be shared with:
- healthcare professionals
- partner charities
- professional advisers
- IT and cloud service providers (third-party processors acting on our behalf)
- regulators or law enforcement where legally required
When we use third-party service providers, we disclose only the personal information necessary to deliver that service. All third-party processors must provide sufficient guarantees regarding security and GDPR compliance. Appropriate data processing agreements will be in place where required.
We may also transfer your personal information to a third party as part of a sale of some or all of our business assets, or as part of any business restructuring or reorganisation, or where we are under a legal obligation to do so. We will take steps to ensure your privacy rights continue to be protected in such circumstances.
11. International Transfers
In the rare instance where personal data is transferred outside the UK (for example, where servers are located in a country outside the UK), AUK will ensure appropriate safeguards are in place, including:
- adequacy regulations;
- International Data Transfer Agreements (IDTAs);
- approved contractual clauses.
These countries may not have similar data protection laws to the UK. By submitting your personal data, you are agreeing to this transfer, storage or processing. If you use our services while outside the UK, your information may be transferred outside the UK in order to provide those services.
12. Data Security
When you give us personal information, we take steps to ensure it is treated securely. Any sensitive and non-sensitive information is encrypted and protected. When you are on a secure page, a lock icon will appear in the web address bar.
AUK will implement appropriate technical and organisational measures including:
Technical Measures
- password protection and multi-factor authentication
- encryption where appropriate
- secure backups
- anti-virus and firewall protection
- restricted access controls
Organisational Measures
- confidentiality obligations
- staff training
- secure disposal procedures
- clear desk and screen practices
- role-based access permissions
Because health information carries higher risk, additional safeguards will apply to special category data.
Where we have given (or where you have chosen) a password to access certain parts of our website, you are responsible for keeping it confidential. Please do not share your password with anyone.
13. Data Retention
Personal data will not be kept longer than necessary. AUK will maintain a retention schedule covering:
- supporter records
- patient enquiries
- safeguarding records
- employee and trustee records
- financial information
Data that is no longer required will be securely deleted or destroyed.
14. Your Rights
You have a choice about whether or not you wish to receive information from us. You can select your preferences when completing forms on our website, or contact us at any time.
Individuals have the following rights under UK GDPR:
- the right to be informed
- the right to access your data
- the right to rectify inaccurate data
- the right to erasure (“right to be forgotten”)
- the right to restrict processing
- the right to object to processing
- the right to data portability
- the right not to be subject to solely automated decision-making
Requests will normally be responded to within one month.
To exercise any of these rights, or to request a copy of the information we hold about you, please contact us at: info@amyloidosisuk.org
15. Profiling
We may analyse your personal information to create a profile of your interests and preferences so that we can contact you with information relevant to you. We may make use of additional information about you when it is available from external sources.
16. Data Breaches
Any personal data breach must be reported immediately to the designated lead within Amyloidosis UK. Examples include:
- lost devices
- emails sent to the wrong recipient
- unauthorised access
- cyber incidents
- accidental disclosure
Amyloidosis UK will investigate breaches promptly, mitigate risks, notify the ICO within 72 hours where legally required, and inform affected individuals where there is a high risk to their rights and freedoms.
17. Data Protection Impact Assessments (DPIAs)
Amyloidosis UK will carry out a DPIA where processing is likely to result in high risk to individuals — particularly when processing health data or introducing new technologies.
18. Staff, Volunteer & Trustee Responsibilities
All trustees, staff and volunteers must:
- handle personal data responsibly;
- complete relevant training;
- follow security procedures;
- report concerns promptly;
- only access information necessary for their role.
Failure to comply with this policy may result in disciplinary action.
19. Safeguarding & Confidentiality
As a patient-focused charity, AUK recognises that confidentiality and safeguarding are closely linked. Information relating to vulnerable adults, carers or safeguarding concerns will be handled sensitively and shared strictly on a need-to-know basis.
20. Links to Other Websites
Our website may contain links to other websites run by other organisations. This privacy policy applies only to our website. We encourage you to read the privacy statements on other websites you visit. We cannot be responsible for the privacy policies and practices of other sites, even if you access them using links from our website.
21. Under 16s
We are committed to protecting the privacy of children aged 16 or under. If you are aged 16 or under, please get your parent or guardian’s permission before providing us with any personal information.
22. Governance & Accountability
The trustees of AUK retain overall responsibility for data protection compliance. The charity will:
- maintain appropriate policies and procedures;
- keep records of processing activities where required;
- review risks regularly;
- monitor compliance;
- review this policy annually.
23. Contact & Complaints
For any data protection queries, requests or complaints, contact:
Data Protection Lead Office 7, First Floor, No 11 Riverside Industrial Park Farnham GU9 7UG
Email: info@amyloidosisuk.org
Individuals also have the right to complain to the Information Commissioner’s Office:
24. Policy Review
This policy will be reviewed:
- annually;
- following significant legal or regulatory change;
- after any major data breach or compliance issue.
This policy reflects current UK GDPR and ICO guidance as of May 2026.
Note: ICO Article 9 is due to be updated in Summer 2026.
25. Quick Reference — Key Commitments
Amyloidosis UK will always:
- keep personal information secure
- only collect necessary information
- explain how data is used
- respect people’s rights
- obtain consent where required
- protect sensitive health information
- report serious data breaches
- regularly review compliance arrangements
26. Approval
Approved by the Board of Trustees of Amyloidosis UK.
| Version | Date | Approved By | Review Date |
| 1.0 | 1/6/26 | Board of Trustees | 1/6/27 |
Appendix 1 — Further Information & Links
Lawful Basis (Article 6): ico.org.uk — A Guide to Lawful Basis
Special Category Data (Article 9): ico.org.uk — Special Category Data
Information Commissioner’s Office: ico.org.uk
Privacy and Electronic Communications Regulations 2003: legislation.gov.uk
Appendix 2 — Special Category Data Checklist
Before processing special category data, AUK will confirm:
- Processing of the special category data is necessary for the purpose identified, and there is no other reasonable and less intrusive way to achieve that purpose.
- An Article 6 lawful basis for processing the special category data has been identified.
- An appropriate Article 9 condition for processing the special category data has been identified.
- Where required, an appropriate DPA 2018 Schedule 1 condition has also been identified.
- Which special categories of data are being processed have been documented.
- Where required, the additional policy document in Appendix 3 is utilised.
- Whether a data protection impact assessment is needed has been considered.
- Specific information about the processing of special category data is included in privacy information for individuals.
- If special category data is used for automated decision making (including profiling), compliance with Article 22 has been confirmed.
- The risks associated with the use of special category data and their effect on other obligations (data minimisation, security, DPO appointment) have been considered.
Appendix 3 — Appropriate Policy Document
Description of data processed
Give a brief description of each category of special category (SC) or criminal offence (CO) data processed.
[To be completed per processing activity]
Schedule 1 condition for processing
Give the name and paragraph number of the relevant Schedule 1 condition(s) for processing. Alternatively, provide a link to the privacy policy, record of processing or any other relevant documentation.
[To be completed per processing activity]
Procedures for ensuring compliance with the principles
The following questions should be addressed for each processing activity involving special category data. Answers may reference other documentation, DPIAs or privacy notices rather than being reproduced in full.
Accountability
- Do we maintain appropriate documentation of our processing activities?
- Do we have appropriate data protection policies?
- Do we carry out DPIAs for uses of personal data likely to result in high risk?
Principle (a): Lawfulness, fairness and transparency
- Have we identified an appropriate lawful basis and Schedule 1 condition for processing SC/CO data?
- Do we make appropriate privacy information available with respect to SC/CO data?
- Are we open and honest when we collect SC/CO data and do we ensure we do not mislead people about its use?
Principle (b): Purpose limitation
- Have we clearly identified our purposes for processing SC/CO data?
- Have we included appropriate details in our privacy information for individuals?
- If we plan to use data for a new purpose, do we check this is compatible or obtain specific consent?
Principle (c): Data minimisation
- Are we satisfied we only collect SC/CO data we actually need for our specified purposes?
- Do we periodically review this data and delete anything we don’t need?
Principle (d): Accuracy
- Do we have appropriate processes to check the accuracy of SC/CO data we collect?
- Do we have a process to identify when data needs updating and to update it as necessary?
- Do we have procedures for how we keep records of mistakes or opinions and deal with challenges to accuracy?
Principle (e): Storage limitation
- Do we carefully consider how long we keep SC/CO data and can we justify this period?
- Do we regularly review and erase or anonymise SC/CO data when we no longer need it?
Principle (f): Integrity and confidentiality (security)
- Have we analysed the risks and used this to assess the appropriate level of security?
- Do we have an information security policy regarding SC/CO data, and is it regularly reviewed?
- Have we put other technical measures in place because of the type of SC/CO data being processed?
Retention and erasure policies
Set out retention and erasure policies with respect to each category of SC/CO data, including how long each specific category is likely to be retained.
[To be completed per processing activity]
APD Review Date and Accountability
[To be completed]