Your Privacy

The National Rheumatoid Arthritis Society is committed to ensuring that the supporter, Member and health information we handle is fully protected and managed carefully. We work within the guidelines set out by data protection law.

Your privacy is important to us, and we understand how important it is to you. This privacy policy tells you about the information we collect and process, what we do with it and what we do to ensure your information is secure. It also tells you about your rights and how to contact us if you have any concerns or questions about data protection.

If you would like a printed copy of this privacy statement, please email data@nras.org.uk or call 01628 823 524 (Office).

This statement is reviewed regularly and may be updated periodically. Changes will be posted on this page, and they will apply from the time we publish them. We encourage you to review our privacy policy on a regular basis so that you will be aware of any changes to it.

This policy was updated on 29/11/2024.

Please click on the following sections for more information:

The National Rheumatoid Arthritis Society (NRAS) is a registered charity in England and Wales (Charity No. 1134859) and Scotland (Charity No. SC039721).

The National Rheumatoid Arthritis Society (NRAS) is a private company limited by guarantee. Registered in England and Wales (Company No. 07127101)

JIA-at-NRAS is part of the National Rheumatoid Arthritis Society (NRAS). We are registered with the Information Commissioner’s Office (www.ico.org.uk) as National Rheumatoid Arthritis Society (Registration No. Z7759317): https://ico.org.uk/ESDWebPages/Entry/Z7759317

For further information regarding your personal data, or about NRAS’s approach to data protection in general please contact our Data Protection Lead at:

3 Beechwood, Grove Park Business Park, White Waltham Rd, Maidenhead Berks SL6 3LW

Alternatively, email us at data@nras.org.uk or call 01628 823524.

NRAS collects, stores and processes personal data for several purposes, mainly:

  • The administration of the charity
  • Membership administration
  • Medical Information for providing and improving our services, resources and knowledge
  • Improving services and resources to meet your needs
  • Financial accounting
  • Fundraising
  • Marketing

NRAS will use (process) your information if we:

  • have a ‘legitimate interest’ to do so in order to support our charitable purposes. Our use will be fair, unbalanced and never unduly impact on your rights;
  • have an agreement with you that we can only fulfil by using your personal information, e.g. send you an item that you have requested;
  • have asked your consent for us to do so;
  • have a legal obligation to use or disclose information about you, e.g. we are required by law to keep records of gifts that are given to us with Gift Aid;
  • need to provide you with relevant information, support and management options for your condition.

The table below highlights the types of personal data that we use, what we use them for and the legal basis for processing:

Type of Data Purpose Legal basis for processing
Name, address, phone, email, date of birth, and other relevant contact information membership and donation history, employment status, gender, history of support and engagement in services, activities & events, professional contacts For the administration of donations, and to support your fundraising, including processing gift aid. To provide you with the services, products or information you asked for. To keep a record of your relationship with us. To understand our supporters better so we can tailor our communications and relationship with you and provide a better service. Please refer to the Profiling and data research section of this policy for more information. For direct marketing purposes. To identify known donors and those who may have an interest in donating in future. To analyse donation patterns. To verify that you are old enough to access our services, play our lottery/raffles or be a member. Legitimate interest (article 6, 1 (f) UK GDPR) – this information is necessary for the purposes of collecting donations, administering, and maintaining our supporter base and ensuring sustainable fundraising including wealth screening.

 

Legal Obligation (article 6, 1  (c) UK GDPR)  – in some cases this data is collected to meet legal requirements – for example we are legally obliged to pass details of your donations to HMRC for tax purposes.

 Personal such as name and contact information,  health and ethnicity data including details relating to your condition – diagnosis date, medication and medical procedures/operations To match volunteers to relevant opportunities and to match callers or referred patients to volunteers for peer support calls. Anonymised data will be used to identify trends or particular sections of the population that require additional support or services. Also to determine the impact of the NRAS services and support. Legitimate interest (article 6 (1) (f) UK GDPR) and for the purpose of providing social care services (UKGDPR art 9(2)(h)) – NRAS will be better able to provide services for, and campaign on behalf of its community as a patient led organisation
Personal, such as name and contact information, health and ethnicity data including details relating to your condition – diagnosis date & medication To connect with you for a particular opportunity relating to your specific medical or demographic profile for e.g.  to identify suitable candidates for involvement in research studies and industry partner collaborations. Legitimate interest (article 6 (1) (f) UK GDPR) and for scientific or historical research purposes (UKGDPR art 9(2)(j)) – NRAS will be better able to select diverse volunteers to participate in survey and research studies so the results from the work better represents the wider RA or JIA community.
Bank and payment card details. To process membership subscriptions, donations, lottery subscriptions and shop purchases. Legitimate interest (Article 6 (1) (f) UK GDPR) – one off and recurring payments and donations

 

Legal obligation (Article 6 (1) (c) UK GDPR)– VAT and other applicable taxes

Records of payments for purchases you have made from our online shop or catalogue. To enable us to follow up any problems, complaints or disputes relating to your order. Legitimate interest (Article 6 (1) (f) UK GDPR) for recording purchases and managing stock
We may record and keep track of conversations you have with us including phone calls, letters, emails, live chats, video chats and any other kind of communication We use these records to check your instructions to us, assess, analyse and improve our service, and to train our staff Legitimate interest (Article 6 (1) (f) UK GDPR) – this information is necessary for the purposes of collecting donations, administering, maintaining our supporter base, ensuring sustainable fundraising. Also to monitor and improve our services, and ensure appropriate support and services are offered to those who contact us.
Helpline call information including personal and health data relating to the caller To inform the support team so they can follow up on calls and provide relevant support and advice. Or to determine the impact of the NRAS services and support. Or to inform our policy and advocacy work of trends/concerns about health services etc. Legitimate interest (Article 6 (1) (f) UK GDPR) and for the purpose of providing social care services (UKGDPR Art 9(2)(j) Schedule 1 Part 2( para.16) – ensuring relevant and appropriate support and information are made to callers.
Your volunteering history (including the activities, training & events you have taken part in, number of hours you worked) To keep a record of your relationship with us, so we can keep you informed about developments in the charity and improve your volunteering experience; to help us identify which types of events/methods of volunteering are most effective and demonstrate the value of volunteering. Legitimate interest (Article 6 (1) (f) UK GDPR) – NRAS has an interest in analysing which types of activity are most effective and also identifying those volunteers who are best able to help us organise events and gather donations
Gift aid forms To record when you authorise NRAS to collect gift aid from HMRC. Legal obligation (Article 6 (1) (c) UK GDPR) – To enable us to claim Gift Aid back from HRMC and to comply with financial audit requirements.
Details of any complaints you have made against NRAS. To enable us to investigate and resolve your concerns and understand how we can improve our services, products or information and influence change with external stakeholders and/or intervene/advocate on your behalf. Legitimate interests (Article 6 (1) (f) UK GDPR) –this information is necessary for us to identify areas where we can improve the service we provide
Your marketing preferences for contact by email, post, phone and messaging including SMS So we know how you prefer to be contacted in terms of promotion of services, the charity’s work, promotion of charitable activities and fundraising Legitimate interests (Article 6 (1) (f) UK GDPR) – for postal and telephone communication.

 

Consent for email and direct messaging including SMS (Article 6 (1) (a) UK GDPR and Regulation 22 PECR)

We may use photographs, videos, and testimonials taken or submitted to NRAS and JIA-at-NRAS (events, case studies). This may include special category data such as medical conditions  To promote our cause, including raising awareness of Rheumatoid Arthritis (RA) and Juvenile Idiopathic Arthritis (JIA), and supporting our campaigns and initiatives. These materials may appear on our website, magazine, e-news bulletins, social media pages, and other promotional or educational content.

We will use these materials as long as they continue to support our mission and the purpose for which they were collected. You have the right to object. For more details information please see our Photo and Video Statement.

 

Legitimate Interest (Article 6(1)(f), UK GDPR) as it is in NRAS’s legitimate interest to use photographs, videos, and testimonials to promote public awareness and understanding of RA and JIA, and to support our charitable goals.

 

Also, Substantial Public Interest (Article 9(2)(g), UK GDPR) for special category data (e.g., health information included in testimonials), we rely on this basis under Condition 16, Schedule 1 of the Data Protection Act 2018, which allows processing for not-for-profit organisations furthering public awareness and understanding.

Records of your fundraising activities To record how much income each particular event/method of fundraising generates. To keep a record of your relationship with us. Legitimate interest (Article 6 (1) (f) UK GDPR) – NRAS has an interest in analysing how income has been generated in order to manage future fundraising campaigns and events.
Information relating to your lottery subscription. So NRAS understands when and how long you have played our lottery. Contractual purposes (Article 6 (1) (b) UK GDPR) and legal obligations (Article 6 (1) (c) UK GDPR) imposed under the Gambling Act 2005
Information on the health state of people who want to sign up for fundraising events. For health and safety purposes. We need to check whether you have any underlying health conditions that would make it unsuitable for you to participate in an event. Consent (Article 6 (1) (a) UK GDPR).
Contact profiles such as social group, age bracket, wealth indicators. We create profiles of our contacts to help us to communicate effectively with them. Please refer to our information about creating profiles below. Legitimate interest (Article 6 (1) (f) UK GDPR) – database segmentation to enable us to undertake effective direct marketing and communications activities.

We may also hold information about how you are affiliated or related to other contacts e.g. family relationship or if a health professional affiliated with a number of hospitals/ colleagues or person affiliated to a group of people who did a fundraising activity together etc.

Where you have given consent to third party organisations they will share data with us, such as fundraising or engagement activities from Just Giving, Run for Charity, and similar sites or social media sites if you’ve consented to share data via your settings.

It is necessary for NRAS to share personal data with a number of external organisations, in order to provide you with the services/resources you require and fulfil the aims of the organisation.

Recipient/Category of organisation Purpose of sharing
IT support companies We may share selected areas of your data with an IT support company so they can investigate software issues.
Secure online payment provider We use a secure online payment provider to process your card and bank details when process payments via our website. These payments may be for purchases, membership subscriptions or donations.
Referring practitioners We inform referring organisations about their patient referral outcomes.
Mailing companies We use mailing companies to post out promotional material to our supporters.
Data support providers To undertake quality and data cleansing activities such as removing duplicate data; screening our data against public registers such as bereavement and deceased, mailing and telephone preference services, fundraising preference services etc., to obtain forwarding addresses for people who move house without informing us, to fill in gaps in our database such as interests and profile-based information. Please see the section in this policy on Profiling and data research for more information
Software platform providers We use external companies to host our charity records database
Internet and social media hosting company We use external companies to host and develop major changes to the NRAS and JIA websites and use social media provided by Facebook, Twitter, Linked In and Instagram.
Research & External Stakeholder Partners If you have consented to participating in a research project or external stakeholder’s activity it will be necessary for us to share your contact details with them to arrange communication. This will only happen with documented consent to do so.
HMRC Where you have made a Gift Aid declaration, we will pass the details to HMRC in order to claim back tax
Data protection consultancy We may share personal data with a data protection consultancy when seeking advice and support on data protection issues
Solicitors We may share personal data with solicitors in the course of obtaining legal advice and support.
External Product Manager We use an external fulfilment companies to process purchases on our behalf. For example, Christmas merchandise
Event companies Where you have informed us that you want to participate in challenge events to raise money for NRAS then we may share your contact details with the event organisers so they can provide you with further information and registration details.
External Lottery Manager We use an external company to process lottery applications on our behalf
External Prospect Research company We periodically use an external company to gather information about you from publicly available sources, for example, Companies House, the Electoral Register, company websites, ‘rich lists’, social networks such as LinkedIn, political and property registers and news archives. This information is used to inform our communications with you.

 

We may also disclose your personal information to third parties from time to time:

  1. if we are under a duty to disclose or share your personal data to the police and other law enforcement agencies/courts/insurance companies, pensions, other health services, practitioners, local authority for social care/support in order to comply with any legal obligation;
  2. to fulfil any order that you place with us (e.g. we would share data with our retail partner, mailing houses, credit card companies and banks etc.);
  3. to enforce or apply our terms of use and other agreements;

to protect the rights, property, or safety of our business, our customers, or others including exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

We may transfer personal data out of the UK either directly or through our use of certain data processors.  Whenever we arrange for restricted (international) transfers of personal data overseas we will ensure that arrangements are in place to provide suitable safeguards for the people whose information we transfer. For example, when we appoint data processors we check that suitable arrangements are in place such as Adequacy Regulations, binding corporate rules, international data transfer agreements, standard contractual clauses, or other permitted mechanism.  The restricted transfers we make include transferring personal data to the EU and the US under the UK extension of the EU:US Data Privacy Framework and/or standard contractual clauses. Further information about the safeguards related to the restricted transfers we make can be provided on request.

NRAS will only keep your personal data for as long as is necessary to provide you with the services, goods, or information you require and to administer your relationship with us, as mentioned above.

For example, financial data is retained for 7 years.

We are legally required to retain some personal information to fulfil statutory obligations, for example, the collection of Gift Aid.

Where we are not under a legal obligation to retain your information, we will determine what is necessary by reference to the lawful basis for processing set out above and our legitimate interests.

After you stop being a member or engaged with us in another capacity, we may keep your data for up to 10 years for one of these reasons:

  • To reactivate your account should you wish to re-engage with us. We will contact you periodically if you are happy for us to contact you.
  • You have made a pledge over the longer term such as leaving a gift in your will to the charity.

We may keep your data for longer than 10 years if we cannot delete it for legal or regulatory reasons. We may also keep it for anonymised research or statistical purposes. If we do, we will make sure that your privacy is protected and only use it for those purposes.

Our data retention schedule, which outlines how long different types of data are retained, can be requested by emailing data@nras.org.uk or calling 01628 823524.

We undertake data matching and research to help us to understand more about you as an individual so we can focus conversations we have with you about fundraising and volunteering in the most effective way and ensure that we provide you with an experience as a supporter or potential supporter which is appropriate for you.

We may match your details against other databases to ensure our data is accurate and up to date. This includes the National Change of Address database (NCOA) from Royal Mail, which uses data from their redirection service, helping us keep in touch with you if you have moved recently without telling us. Another example is screening against bereavement registers, for example TBR, as we know that sending mail to a recently deceased member of a family can be distressing and by running this data matching service we can reduce the possibility of NRAS contacting someone who has passed away.

We analyse how emails are opened and read to see which messages have the highest response rates and whether there are messages that resonate with particular groups of people. We do this by logging whether emails have been opened, deleted and interacted with, for example, by clicking on links within the emails.

We may use your data to help identify what traits you may have in common with other people who are similar to you via marketing lists and tools that highlight people’s hobbies and interests. For example, knowing which newspapers are most commonly read helps us identify where to advertise to find more people like you, who care about our work.

As a fundraising organisation, we undertake in-house research and from time to time engage specialist agencies to gather information about you from publicly available sources, for example, Companies House, the Electoral Register, company websites, ‘rich lists’, social networks such as LinkedIn, political and property registers and news archives.

We may periodically use third-party partners to research prospects. You will always have the right to opt out of this processing. We may also carry out research using publicly available information to identify individuals who may have an affinity to our cause but with whom we are not already in touch. This may include people connected to our current major supporters, trustees, or other lead volunteers. As a registered charity, we are subject to a number of legal and regulatory obligations and standards. This means that we may carry out appropriate due diligence and background checks on potential supporters or anyone planning to make a significant donation or gift before accepting it in order protect NRAS from abuse, fraud and/or money laundering.

If you would prefer us not to wealth screen your data, please email us at data@nras.org.uk or call us on 01628 823524.

The services we provide include, but are not limited to, a Helpline, Conferences, Self-Management resources and information, Mobile Phone apps, Peer to Peer Support calls, opportunities to participate in research and campaigns, provision of resources and education for health-professional, advocacy on behalf of individuals and RA/JIA population as a whole. Over 18s can access our services independently. Under 18s should be accompanied or supported by an adult in accessing our services.

To raise awareness of our organisation, our services and the need to fundraise the money we need every year for our vital work, NRAS undertakes a wide range of marketing activities to reach new and existing supporters and beneficiaries.

You may receive information by post or telephone from NRAS about the goods and resources we provide, fundraising appeals and events, campaigns, research opportunities and the other work we do that is part of our charitable mission. Our legal basis for processing this is legitimate interest under Article 6 (1) (f) UK GDPR.

We will only send marketing relating to fundraising appeals and events, campaigns, research opportunities by email and text where you have given us consent to do so. Every email or text message we send will provide an option to opt-out of receiving future messages if you wish.

We are registered with the Fundraising Regulator and adhere to the fundraising code of practice. We do not give, sell or exchange your information with other organisations for marketing purposes.

You may, at any time, opt-out of receiving marketing from NRAS by contacting us via post, telephone 01628 823524, or emailing us at marketing@nras.org.uk.

The NRAS website contains cookies. A cookie is a small txt file that is added to your mobile phone, tablet or computer (your device) when you access our website.

Cookies are useful because they allow us to recognise your device and your user preferences. We use cookies to manage our website and display information to you and recognise users’ preferences. These are generally termed as ‘strictly necessary’ cookies.

Marketing, performance and tracking cookies can also gather basic tracking information from the website you visited prior to & after you visited ours, date, time of visit, length of time spent on our webpages and your interactions with our website. These types of cookies require your consent prior to them being placed on your device. The NRAS webpage cookie banner provides the ability to set your cookie preferences.

Marketing, performance and tracking cookies allows us to personalise the user experience and to improve the quality of our website navigation. We also use analytical cookies, which allow us to recognise and count the number of users on our website and how they move around it.

Cookies can help us improve the way our website works, for example by making sure users find easily what they need. If you do not want cookies on your computer, you can remove them by changing the ‘Cookie Settings’ within our cookie banner or by changing your browser settings on your device.

You can remove all of the cookies or just the third-party cookies. The table below identifies the cookies we use.

Cookie Name Time Saved Description
CookieLawInfoConsent 365 days Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
cookielawinfo-checkbox-necessary 365 days Records the default button state of the corresponding category. It works only in coordination with the primary cookie.
cookielawinfo-checkbox-non-necessary 365 days Same as above
viewed_cookie_policy 365 days Is the primary cookie that records the user consent for the usage of the cookies upon ‘accept’ and ‘reject’. It doesn’t track any personal data and is set only upon user action(accept/reject).
__stripe_mid 365 days Used to provide fraud prevention.
_ga 407 days This cookie is a Google Analytics persistent cookie which is used to distinguish unique users.
_gat 365 days This cookie is used to throttle request rate. These are third party cookies that are placed on your device to allow us to use the Google Analytics service. These cookies are used to collect information about how visitors use our website. We use this information to compile reports and to help us improve the website.
_gcl_au 365 days This cookie is used by Google Adsense to track and store conversions.

The GDPR grants you certain rights (‘information rights’) which we summarise below:

Right of access and of data portability. You have the right of access to information we hold about or concerning you and/or to have it transferred to another data controller in some circumstances.  If you would like to exercise this right you should contact our Data Protection Lead.
Right of rectification or erasure. If you feel that any data that we hold about you is inaccurate you have the right to ask us to correct or rectify it.  You also have a right to ask us to erase information about you where you can demonstrate that the data we hold is no longer needed by us, or if you withdraw the consent upon which our processing is based, or if you feel that we are unlawfully processing your data.  Your right of rectification and erasure extends to anyone we have disclosed your personal information to and we will/shall take all reasonable steps to inform those with whom we have shared your data about your request for erasure.
Right to restriction of processing. You have a right to request that we refrain from processing your data where you contest its accuracy, or the processing is unlawful and you have opposed its erasure, or where we don’t need to hold your data anymore, but you need us to in order to establish, exercise or defend any legal claims, or we are in dispute about the legality of our processing your personal data.
Right to object. You have a right to object to our processing of your personal data where the basis of the processing is our legitimate interests including but not limited to direct marketing, wealth screening and profiling.
Right to Withdraw Consent. You have the right to withdraw your consent at any time for the processing of your personal data where the processing is based on consent.
Right of Complaint. You also have a right to lodge a complaint about any aspect of how we are handling your data with the UK’s Information Commissioner’s Office.

If you are not happy about something or would like to complain please contact our Data Protection Lead at data@nras.org.uk in the first instance so we can do our utmost to resolve your complaint.

If the Data Protection Lead is unable to resolve your complaint it will be escalated to senior management. If is it still unresolved you have the right to make a complaint with the Information Commissioner’s Office via https://ico.org.uk/.

If you would like to find out more about your rights or if you wish to exercise them, please contact our Data Protection Lead at data@nras.org.uk Or please call us on 01628 823524.

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.