Privacy and Data Protection Policy

1. Introduction

At Amyloidosis UK, we are committed to protecting and respecting your privacy. This policy explains:

  • when and why we collect personal information about people who visit our website or engage with our services;
  • how we use it, and the conditions under which we may disclose it to others;
  • how we keep it secure;
  • your rights in relation to that information;
  • the responsibilities of our staff, volunteers and trustees.

As a patient-focused health charity, we regularly handle sensitive personal information, including health-related information (“special category data”). We recognise the importance of maintaining your trust and ensuring compliance with:

  • UK GDPR
  • Data Protection Act 2018
  • Privacy and Electronic Communications Regulations (PECR)
  • Charity Commission guidance
  • Information Commissioner’s Office (ICO) guidance

We may update this policy from time to time. Please check this page occasionally to ensure that you are happy with any changes. By using our website, you agree to be bound by this policy.

If you have any questions, please contact us at: info@amyloidosisuk.org

2. Scope

This policy applies to:

  • trustees
  • employees
  • volunteers
  • contractors and consultants
  • anyone processing personal data on behalf of AUK

It applies to all personal data processed electronically, on paper, verbally or otherwise.

3. Key Principles

AUK will comply with the UK GDPR data protection principles, ensuring personal data is:

  • Lawful, fair and transparent — we will clearly explain how data is used.
  • Collected for specified purposes only — we will only use personal data for legitimate charity purposes.
  • Adequate, relevant and limited — we will only collect information we genuinely need.
  • Accurate and kept up to date — we will take reasonable steps to correct inaccuracies.
  • Stored only as long as necessary — we will follow documented retention periods.
  • Secure — we will protect data against unauthorised access, loss or misuse.
  • Accountable — we will maintain records and demonstrate compliance.

AUK will appoint a Data Protection Officer responsible for ensuring compliance with this policy, data protection law and UK GDPR.

4. How We Collect Information

We obtain information about you when you use our website — for example, when you complete a contact form, registration form, or any other form within our site.

5. Types of Data We May Process

Personal Data

Examples include:

  • names, addresses, email addresses and telephone numbers
  • IP address and information about pages accessed and when
  • donation history
  • volunteer records
  • event registrations

Special Category Data

As a health charity, AUK may also process:

  • health and diagnosis information
  • patient support needs
  • accessibility requirements
  • ethnicity data (where relevant)
  • safeguarding-related information

Health information is classed as “special category data” under UK GDPR and requires additional protections, including stronger justification for data collection, stronger safeguards, accountability and security protections.

6. Lawful Basis for Processing

AUK will only process personal data where there is a lawful basis under Article 6 UK GDPR. For further information see 

ICO guidance on lawful basis: ico.org.uk — A Guide to Lawful Basis

PurposeLawful Basis
Charity administrationLegitimate interests
Delivering patient supportLegitimate interests / vital interests
Donations and fundraisingLegitimate interests / consent
Employment administrationLegal obligation / contract
SafeguardingLegal obligation / vital interests
Medical or health-related support servicesExplicit consent or not-for-profit condition

Where special category data is processed, AUK will also identify an Article 9 condition. For further information:

ICO guidance on special category data (Article 9)

Examples of Article 9 conditions AUK may rely on include: explicit consent, not-for-profit body condition, vital interests, health or social care purposes, and substantial public interest.

AUK will document our lawful basis before processing begins.

7. Consent

Where consent is used as the lawful basis, it must be:

  • freely given
  • specific and informed
  • unambiguous
  • easy to withdraw

For health data or marketing communications requiring consent, AUK will seek explicit consent where required by law. AUK will maintain records of consent.

8. How Your Information is Used

We may use your information to:

  • respond to queries raised via the contact form;
  • carry out our obligations arising from any contracts entered into with you;
  • seek your views or comments on the services we provide;
  • notify you of changes to our services;
  • send communications you have requested or which may be of interest to you, including information about campaigns, appeals, fundraising activities, and promotions.

We review our retention periods for personal information on a regular basis. We will hold your personal information on our systems for as long as is necessary for the relevant activity, or as long as is set out in any relevant contract.

9. Fundraising & Marketing

AUK may contact supporters by post, phone, email or SMS in accordance with UK GDPR and PECR. AUK will:

  • provide clear opt-out mechanisms;
  • honour unsubscribe requests promptly;
  • avoid excessive or intrusive communications;
  • never sell personal data;
  • only share supporter data where lawful and transparent.

We will not contact you for marketing purposes by email, phone or text message unless you have given your prior consent. We will not contact you for marketing purposes by post if you have indicated that you do not wish to be contacted.

You can change your marketing preferences at any time by emailing: info@amyloidosisuk.org

All marketing activity will be proportionate, ethical and aligned with Charity Commission expectations regarding public trust.

10. Data Sharing

We will not sell or rent your information to third parties. We will not share your information with third parties for marketing purposes.

AUK will only share personal information where there is a lawful basis, it is necessary, and appropriate safeguards are in place. Data may be shared with:

  • healthcare professionals
  • partner charities
  • professional advisers
  • IT and cloud service providers (third-party processors acting on our behalf)
  • regulators or law enforcement where legally required

When we use third-party service providers, we disclose only the personal information necessary to deliver that service. All third-party processors must provide sufficient guarantees regarding security and GDPR compliance. Appropriate data processing agreements will be in place where required.

We may also transfer your personal information to a third party as part of a sale of some or all of our business assets, or as part of any business restructuring or reorganisation, or where we are under a legal obligation to do so. We will take steps to ensure your privacy rights continue to be protected in such circumstances.

11. International Transfers

In the rare instance where personal data is transferred outside the UK (for example, where servers are located in a country outside the UK), AUK will ensure appropriate safeguards are in place, including:

  • adequacy regulations;
  • International Data Transfer Agreements (IDTAs);
  • approved contractual clauses.

These countries may not have similar data protection laws to the UK. By submitting your personal data, you are agreeing to this transfer, storage or processing. If you use our services while outside the UK, your information may be transferred outside the UK in order to provide those services.

12. Data Security

When you give us personal information, we take steps to ensure it is treated securely. Any sensitive and non-sensitive information is encrypted and protected. When you are on a secure page, a lock icon will appear in the web address bar.

AUK will implement appropriate technical and organisational measures including:

Technical Measures

  • password protection and multi-factor authentication
  • encryption where appropriate
  • secure backups
  • anti-virus and firewall protection
  • restricted access controls

Organisational Measures

  • confidentiality obligations
  • staff training
  • secure disposal procedures
  • clear desk and screen practices
  • role-based access permissions

Because health information carries higher risk, additional safeguards will apply to special category data.

Where we have given (or where you have chosen) a password to access certain parts of our website, you are responsible for keeping it confidential. Please do not share your password with anyone.

13. Data Retention

Personal data will not be kept longer than necessary. AUK will maintain a retention schedule covering:

  • supporter records
  • patient enquiries
  • safeguarding records
  • employee and trustee records
  • financial information

Data that is no longer required will be securely deleted or destroyed.

14. Your Rights

You have a choice about whether or not you wish to receive information from us. You can select your preferences when completing forms on our website, or contact us at any time.

Individuals have the following rights under UK GDPR:

  • the right to be informed
  • the right to access your data
  • the right to rectify inaccurate data
  • the right to erasure (“right to be forgotten”)
  • the right to restrict processing
  • the right to object to processing
  • the right to data portability
  • the right not to be subject to solely automated decision-making

Requests will normally be responded to within one month.

To exercise any of these rights, or to request a copy of the information we hold about you, please contact us at: info@amyloidosisuk.org

15. Profiling

We may analyse your personal information to create a profile of your interests and preferences so that we can contact you with information relevant to you. We may make use of additional information about you when it is available from external sources.

16. Data Breaches

Any personal data breach must be reported immediately to the designated lead within Amyloidosis UK. Examples include:

  • lost devices
  • emails sent to the wrong recipient
  • unauthorised access
  • cyber incidents
  • accidental disclosure

Amyloidosis UK will investigate breaches promptly, mitigate risks, notify the ICO within 72 hours where legally required, and inform affected individuals where there is a high risk to their rights and freedoms.

17. Data Protection Impact Assessments (DPIAs)

Amyloidosis UK will carry out a DPIA where processing is likely to result in high risk to individuals — particularly when processing health data or introducing new technologies.

18. Staff, Volunteer & Trustee Responsibilities

All trustees, staff and volunteers must:

  • handle personal data responsibly;
  • complete relevant training;
  • follow security procedures;
  • report concerns promptly;
  • only access information necessary for their role.

Failure to comply with this policy may result in disciplinary action.

19. Safeguarding & Confidentiality

As a patient-focused charity, AUK recognises that confidentiality and safeguarding are closely linked. Information relating to vulnerable adults, carers or safeguarding concerns will be handled sensitively and shared strictly on a need-to-know basis.

20. Links to Other Websites

Our website may contain links to other websites run by other organisations. This privacy policy applies only to our website. We encourage you to read the privacy statements on other websites you visit. We cannot be responsible for the privacy policies and practices of other sites, even if you access them using links from our website.

21. Under 16s

We are committed to protecting the privacy of children aged 16 or under. If you are aged 16 or under, please get your parent or guardian’s permission before providing us with any personal information.

22. Governance & Accountability

The trustees of AUK retain overall responsibility for data protection compliance. The charity will:

  • maintain appropriate policies and procedures;
  • keep records of processing activities where required;
  • review risks regularly;
  • monitor compliance;
  • review this policy annually.

23. Contact & Complaints

For any data protection queries, requests or complaints, contact:

Data Protection Lead Office 7, First Floor, No 11 Riverside Industrial Park Farnham GU9 7UG

Email: info@amyloidosisuk.org

Individuals also have the right to complain to the Information Commissioner’s Office:

ico.org.uk

24. Policy Review

This policy will be reviewed:

  • annually;
  • following significant legal or regulatory change;
  • after any major data breach or compliance issue.

This policy reflects current UK GDPR and ICO guidance as of May 2026.

Note: ICO Article 9 is due to be updated in Summer 2026.

25. Quick Reference — Key Commitments

Amyloidosis UK will always:

  • keep personal information secure
  • only collect necessary information
  • explain how data is used
  • respect people’s rights
  • obtain consent where required
  • protect sensitive health information
  • report serious data breaches
  • regularly review compliance arrangements

26. Approval

Approved by the Board of Trustees of Amyloidosis UK.

VersionDateApproved ByReview Date
1.01/6/26Board of Trustees1/6/27

Appendix 1 — Further Information & Links

Lawful Basis (Article 6): ico.org.uk — A Guide to Lawful Basis

Special Category Data (Article 9): ico.org.uk — Special Category Data

Information Commissioner’s Office: ico.org.uk

Privacy and Electronic Communications Regulations 2003: legislation.gov.uk

Appendix 2 — Special Category Data Checklist

Before processing special category data, AUK will confirm:

  • Processing of the special category data is necessary for the purpose identified, and there is no other reasonable and less intrusive way to achieve that purpose.
  • An Article 6 lawful basis for processing the special category data has been identified.
  • An appropriate Article 9 condition for processing the special category data has been identified.
  • Where required, an appropriate DPA 2018 Schedule 1 condition has also been identified.
  • Which special categories of data are being processed have been documented.
  • Where required, the additional policy document in Appendix 3 is utilised.
  • Whether a data protection impact assessment is needed has been considered.
  • Specific information about the processing of special category data is included in privacy information for individuals.
  • If special category data is used for automated decision making (including profiling), compliance with Article 22 has been confirmed.
  • The risks associated with the use of special category data and their effect on other obligations (data minimisation, security, DPO appointment) have been considered.

Appendix 3 — Appropriate Policy Document

Description of data processed

Give a brief description of each category of special category (SC) or criminal offence (CO) data processed.

[To be completed per processing activity]

Schedule 1 condition for processing

Give the name and paragraph number of the relevant Schedule 1 condition(s) for processing. Alternatively, provide a link to the privacy policy, record of processing or any other relevant documentation.

[To be completed per processing activity]

Procedures for ensuring compliance with the principles

The following questions should be addressed for each processing activity involving special category data. Answers may reference other documentation, DPIAs or privacy notices rather than being reproduced in full.

Accountability

  • Do we maintain appropriate documentation of our processing activities?
  • Do we have appropriate data protection policies?
  • Do we carry out DPIAs for uses of personal data likely to result in high risk?

Principle (a): Lawfulness, fairness and transparency

  • Have we identified an appropriate lawful basis and Schedule 1 condition for processing SC/CO data?
  • Do we make appropriate privacy information available with respect to SC/CO data?
  • Are we open and honest when we collect SC/CO data and do we ensure we do not mislead people about its use?

Principle (b): Purpose limitation

  • Have we clearly identified our purposes for processing SC/CO data?
  • Have we included appropriate details in our privacy information for individuals?
  • If we plan to use data for a new purpose, do we check this is compatible or obtain specific consent?

Principle (c): Data minimisation

  • Are we satisfied we only collect SC/CO data we actually need for our specified purposes?
  • Do we periodically review this data and delete anything we don’t need?

Principle (d): Accuracy

  • Do we have appropriate processes to check the accuracy of SC/CO data we collect?
  • Do we have a process to identify when data needs updating and to update it as necessary?
  • Do we have procedures for how we keep records of mistakes or opinions and deal with challenges to accuracy?

Principle (e): Storage limitation

  • Do we carefully consider how long we keep SC/CO data and can we justify this period?
  • Do we regularly review and erase or anonymise SC/CO data when we no longer need it?

Principle (f): Integrity and confidentiality (security)

  • Have we analysed the risks and used this to assess the appropriate level of security?
  • Do we have an information security policy regarding SC/CO data, and is it regularly reviewed?
  • Have we put other technical measures in place because of the type of SC/CO data being processed?

Retention and erasure policies

Set out retention and erasure policies with respect to each category of SC/CO data, including how long each specific category is likely to be retained.

[To be completed per processing activity]

APD Review Date and Accountability

[To be completed]