Your Privacy

The National Rheumatoid Arthritis Society is committed to ensuring that the supporter, Member and health information we handle is fully protected and managed carefully. We work within the guidelines set out by data protection law.

Your privacy is important to us, and we understand how important it is to you. This privacy policy tells you about the information we collect and process, what we do with it and what we do to ensure your information is secure. It also tells you about your rights and how to contact us if you have any concerns or questions about data protection.

If you would like a printed copy of this privacy statement, please email data@nras.org.uk or call 01628 823 524 (Office).

This statement is reviewed regularly and may be updated periodically. Changes will be posted on this page, and they will apply from the time we publish them. We encourage you to review our privacy policy on a regular basis so that you will be aware of any changes to it.

This policy was updated on 01/02/2022.

Please click on the following sections for more information:

The National Rheumatoid Arthritis Society (NRAS) is a registered charity in England and Wales (Charity No. 1134859) and Scotland (Charity No. SC039721).

The National Rheumatoid Arthritis Society (NRAS) is a private company limited by guarantee. Registered in England and Wales (Company No. 07127101)

JIA-at-NRAS is part of the National Rheumatoid Arthritis Society (NRAS).

We are registered with the Information Commissioner’s Office (www.ico.org.uk) as National Rheumatoid Arthritis Society (Registration No. Z7759317): https://ico.org.uk/ESDWebPages/Entry/Z7759317

For further information regarding your personal data, or about NRAS’s approach to data protection in general please contact our Data Protection Lead at:

NRAS, Beechwood Suite 3, Grove Park Industrial Estate, White Waltham, Maidenhead, Berkshire, SL6 3LW

Alternatively, email us at data@nras.org.uk or call 01628 823524.

NRAS collects, stores and processes personal data for several purposes, mainly:

  • The administration of the charity
  • Membership administration
  • Medical Information for improving our services, resources and knowledge
  • Improving services and resources to meet your needs
  • Financial accounting
  • Fundraising
  • Marketing

NRAS will use (process) your information if we:

  • have a ‘legitimate interest’ to do so in order to support our charitable purposes. Our use will be fair, unbiased and never unduly impact on your rights;
  • have an agreement with you that we can only fulfil by using your personal information, e.g. send you an item that you have requested;
  • have asked your consent for us to do so;
  • have a legal obligation to use or disclose information about you, e.g. we are required by law to keep records of gifts that are given to us with Gift Aid;
  • need to provide you with relevant information, support and management options for your condition.

The table below highlights the types of personal data that we use, what we use them for and the legal basis for processing:

Type of Data Purpose Legal basis for processing
Name, address, phone, email, date of birth, and other relevant contact information membership and donation history, employment status, gender, history of support and engagement in services, activities & events, professional contacts For the administration of donations, and to support your fundraising, including processing gift aid. To provide you with the services, products or information you asked for. To keep a record of your relationship with us. To understand our supporters better so we can tailor our communications and relationship with you and provide a better service. Please refer to the Profiling and data research section of this policy for more information. For direct marketing purposes. To identify known donors and those who may have an interest in donating in future. To analyse donation patterns. To verify that you are old enough to access our services, play our lottery/raffles or be a member. Legitimate interest – this information is necessary for the purposes of collecting donations, administering, and maintaining our supporter base and ensuring sustainable fundraising including wealth screening. Legal Obligation – in some cases this data is collected to meet legal requirements – for example we are legally obliged to pass details of your donations to HMRC for tax purposes.
Personal, health and ethnicity data including details relating to your condition – diagnosis date, medication and medical procedures/operations Anonymised data will be used to identify trends or particular sections of the population that require additional support or services. Or to determine the impact of the NRAS services and support. Legitimate interest and for the purpose of providing social care services (UKGDPR art 9(2)(h)) – NRAS will be better able to campaign on behalf of its community as a patient led organisation
Personal, health and ethnicity data including details relating to your condition – diagnosis date & medication To connect with you for a particular opportunity relating to your specific medical or demographic profile for e.g.  to identify suitable candidates for involvement in research studies and industry partner collaborations. Consent only.
Bank and payment card details. To process membership subscriptions, donations, lottery subscriptions and shop purchases. Legitimate interest – one off and recurring payments and donations

 

Legal obligation – VAT and other applicable taxes

Records of payments for purchases you have made from our online shop or catalogue. To enable us to follow up any problems, complaints or disputes relating to your order. Legitimate interest for recording purchases and managing stock
We may record and keep track of conversations you have with us including phone calls, letters, emails, live chats, video chats and any other kind of communication We use these records to check your instructions to us, assess, analyse and improve our service, and to train our staff Legitimate interest – this information is necessary for the purposes of collecting donations, administering, maintaining our supporter base, ensuring sustainable fundraising and appropriate support and services are offered to those who contact us.
Contact stories To promote the life changing work carried out by NRAS, its supported and affiliated partners and professionals We only use these where you have given your consent
Helpline call information including personal and health data relating to the caller To inform the support team so they can follow up on calls and provide relevant support and advice. Or to determine the impact of the NRAS services and support. Or to inform our policy and advocacy work of trends/concerns about health services etc. Legitimate interest and for the purpose of providing social care services (UKGDPR Art 9(2)(h) – ensuring relevant and appropriate support, guidance and recommendations are made to callers.
Your volunteering history (including the activities & events you have taken part in, number of hours you worked) To keep a record of your relationship with us, so we can keep you informed about developments in the charity and improve your volunteering experience; to help us identify which types of events/methods of volunteering are most effective and demonstrate the value of volunteering. Legitimate interest – NRAS has an interest in analysing which types of activity are most effective and also identifying those volunteers who are best able to help us organise events and gather donations
Gift aid forms For tax purposes and to enable us to claim Gift Aid back from HRMC Legal obligation
Details of any complaints you have made against NRAS. as well as any complaints you’ve raised against a health service/CCG/ etc. To enable us to investigate and resolve your concerns and understand how we can improve our services, products or information and influence change with external stakeholders and/or intervene/advocate on your behalf. Legitimate interests –this information is necessary for us to identify areas where we can improve the service we provide
Your marketing preferences for contact by email, post, phone and messaging including SMS So we know how you prefer to be contacted in terms of promotion of services, the charity’s work, promotion of charitable activities and fundraising Legitimate interests – for postal and telephone communication

 

Consent for email and direct messaging including SMS

Photographs and videos taken at NRAS and JIA-at-NRAS events, case studies To promote the cause of NRAS through our website, magazine, e-news bulletins and social media pages We only use these where you have given your consent
Records of fundraising activities you have organised To record how much income each particular event/method of fundraising generates. To keep a record of your relationship with us Legitimate interest – NRAS has an interest in analysing which types of events raise the most income, and also in identifying those supporters who are best able to help us to organise events and gather donations
Information relating to your lottery subscription The administration of the NRAS lotteries Contractual purposes and legal obligations imposed under the Gambling Act 2005
Information on the health state of people who want to sign up for fundraising events For health and safety purposes. We need to check whether you have any underlying health conditions that would make it unsuitable for you to participate in an event Consent
Contact profiles such as social group, age bracket, wealth indicators. We create profiles of our contacts to help us to communicate effectively with them. Please refer to our information about creating profiles below Legitimate interest – database segmentation to enable us to undertake effective direct marketing and communications activities.

We may also hold information about how you are affiliated or related to other contacts e.g. family relationship or if a health professional affiliated with a number of hospitals/ colleagues or person affiliated to a group of people who did a fundraising activity together etc.

We will inform you if the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract with us and of the possible consequences of failure to provide such data (e.g. in service engagement and volunteering situations).

It is necessary for NRAS to share personal data with a number of external organisations, in order to provide you with the services/resources you require and fulfil the aims of the organisation.

Recipient/Category of organisation Purpose of sharing
IT support companies We may share selected areas of your data with an IT support company so they can investigate software issues.
Secure online payment provider We use a secure online payment provider to process your card and bank details when process payments via our website. These payments may be for purchases, membership subscriptions or donations.
External practitioners We share name, phone number and email with designated external practitioners if members opt to have referrals to them as part of our membership offering. You need to have the appropriate type of membership and request a referral in order for your data to be shared.
Mailing companies We use mailing companies to post out promotional material to our supporters
Data support providers To undertake quality and data cleansing activities such as removing duplicate data; screening our data against public registers such as bereavement and deceased, mailing and telephone preference services, fundraising preference services etc., to obtain forwarding addresses for people who move house without informing us, to fill in gaps in our database such as interests and profile-based information. Please see the section in this policy on Profiling and data research for more information
Software platform providers We use external companies to host our charity records database
Internet and social media hosting company We use external companies to host and develop major changes to the NRAS and JIA websites and use social media provided by Facebook, Twitter, Linked In and Instagram.
Research & External Stakeholder Partners If you have consented to participating in a research project or external stakeholder’s activity it will be necessary for us to share your contact details with them to arrange good communication. This will only happen with documented consent to do so.
HMRC Where you have made a Gift Aid declaration, we will pass the details to HMRC in order to claim back tax
Data protection consultancy We may share personal data with a data protection consultancy when seeking advice and support on data protection issues
Solicitors We may share personal data with solicitors in the course of obtaining legal advice and support.
External Product Manager We use an external fulfilment companies to process purchases on our behalf. For example, Christmas merchandise
Event companies Where you have informed us that you want to participate in challenge events to raise money for NRAS then we may share your contact details with the event organisers so they can provide you with further information and registration details.
External Lottery Manager We use an external company to process lottery applications on our behalf

We may also disclose your personal information to third parties from time to time:

  1. if we are under a duty to disclose or share your personal data to the police and other law enforcement agencies/courts/insurance companies, pensions, other health services, practitioners, local authority for social care/support in order to comply with any legal obligation;
  2. to fulfil any order that you place with us (e.g. we would share data with our retail partner, mailing houses, credit card companies and banks etc.);
  3. to enforce or apply our terms of use and other agreements;
  4. to protect the rights, property, or safety of our business, our customers, or others including exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

We may transfer personal data outside of the UK where data subjects’ rights may not be adequately protected or enforceable. Whenever we arrange for international transfers of data overseas, we will ensure the suitable arrangements are in place to provide suitable safeguards for the people whose information we transfer. When we appoint overseas data processors, we check that suitable arrangements are in place such as UK Adequacy Decisions, with other necessary safeguards and pursuant to a transfer risk assessment, or other permitted mechanisms.

NRAS transfers personal data outside of the United Kingdom to these organisations:

Organisation Country Purpose
MailChimp USA Email marketing mail outs

NRAS relies on the standard contractual agreement with Mailchimp.

NRAS will only keep your personal data for as long as is necessary to provide you with the services, goods, or information you require and to administer your relationship with us. For example, financial data is retained for 7 years. Our data retention schedule, which outlines how long different types of data are retained, can be requested by emailing data@nras.org.uk or calling 01628 823524.

We are legally required to retain some personal information to fulfil statutory obligations, for example, the collection of Gift Aid or to support certain financial transactions.

Where we are not under a legal obligation to retain your information, we will determine what is necessary by reference to the lawful basis for processing set out above and our legitimate interests.

After you stop being a member or engaged with us in another capacity, we may keep your data for up to 10 years for one of these reasons:

  • To reactivate your account should you wish to re-engage with us. We will contact you periodically if you are happy for us to contact you.
  • You have made a pledge over the longer term such as leaving a gift in your will to the charity.

We may keep your data for longer than 10 years if we cannot delete it for legal or regulatory reasons. We may also keep it for anonymised research or statistical purposes. If we do, we will make sure that your privacy is protected and only use it for those purposes.

We undertake data matching and research to help us to understand more about you as an individual so we can focus conversations we have with you about fundraising and volunteering in the most effective way and ensure that we provide you with an experience as a supporter or potential supporter which is appropriate for you.

We may match your details against other databases to ensure our data is accurate and up-to-date. This includes the National Change of Address database (NCOA) from Royal Mail, which uses data from their redirection service, helping us keep in touch with you if you have moved recently without telling us. Another example is screening against bereavement registers, for example TBR, as we know that sending mail to a recently deceased member of a family can be distressing and by running this data matching service we can reduce the possibility of NRAS contacting someone who has passed away.

We analyse how emails are opened and read to see which messages have the highest response rates and whether there are messages that resonate with particular groups of people. We do this by logging whether emails have been opened, deleted and interacted with, for example, by clicking on links within the emails.

We may use your data to help identify what traits you may have in common with other people who are similar to you via marketing lists and tools that highlight people’s hobbies and interests. For example, knowing which newspapers are most commonly read helps us identify where to advertise to find more people like you, who care about our work.

As a fundraising organisation, we undertake in-house research and from time to time engage specialist agencies such as Prospecting for Gold to gather information about you from publicly available sources, for example, Companies House, the Electoral Register, company websites, ‘rich lists’, social networks such as LinkedIn, political and property registers and news archives.

We may also carry out wealth screening to fast track the research using our third-party partners. You will always have the right to opt out of this processing. We may also carry out research using publicly available information to identify individuals who may have an affinity to our cause but with whom we are not already in touch. This may include people connected to our current major supporters, trustees, or other lead volunteers. As a registered charity, we are subject to a number of legal and regulatory obligations and standards. This means that we may carry out appropriate due diligence and background checks on potential supporters or anyone planning to make a significant donation or gift before accepting it in order protect NRAS from abuse, fraud and/or money laundering.

If you would prefer us not to wealth screen your data, please email us at data@nras.org.uk or call us on 01628 823524.

The services we provide include, but are not limited to, a Helpline, Conferences, Self-Management resources and information, Mobile Phone apps, Peer to Peer Support (both face to face and virtual), opportunities to participate in research and campaigns, provision of resources and education for health-professional, advocacy on behalf of individuals and RA/JIA population as a whole. Over 18s can access our services independently. Under 18s should be accompanied or supported by an adult in accessing our services.

To raise awareness of our organisation, our services and the need to fundraise the money we need every year for our vital work, NRAS undertakes a wide range of marketing activities to reach new and existing supporters and beneficiaries.

You may receive information by post or telephone from NRAS about the goods and resources we provide, fundraising appeals and events, campaigns, research opportunities and the other work we do that is part of our charitable mission. Our legal basis for processing this is legitimate interest.

We will only send marketing relating to fundraising appeals and events, campaigns, research opportunities by email and text where you have given us consent to do so. Every email or text message we send will provide an option to opt-out of receiving future messages if you wish.

We are registered with the Fundraising Regulator and adhere to the fundraising code of practice. We do not give, sell or exchange your information with other organisations for marketing purposes.

You may, at any time, opt-out of receiving marketing from NRAS by contacting us via post, telephone 01628 823524, or emailing us at marketing@nras.org.uk.

The NRAS website contains cookies. A cookie is a small txt file that is added to your mobile phone, tablet or computer (your device) when you access our website.

Cookies are useful because they allow us to recognise your device and your user preferences. We use cookies to manage our website and display information to you and recognise users’ preferences. These are generally termed as ‘strictly necessary’ cookies. Marketing, performance and tracking cookies can also gather basic tracking information from the website you visited prior to & after you visited ours, date, time of visit, length of time spent on our webpages and your interactions with our website. These types of cookies require your consent prior to them being placed on your device. The NRAS webpage cookie banner provides the ability to set your cookie preferences.

Marketing, performance and tracking cookies allows us to personalise the user experience and to improve the quality of our website navigation. We also use analytical cookies, which allow us to recognise and count the number of users on our website and how they move around it.

Cookies can help us improve the way our website works, for example by making sure users find easily what they need. If you do not want cookies on your computer, you can remove them by changing the ‘Cookie Settings’ within our cookie banner or by changing your browser settings on your device.

You can remove all of the cookies or just the third-party cookies. The table below identifies the cookies we use.

Cookie Name Time Saved Description
CookieLawInfoConsent 365 days Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
cookielawinfo-checkbox-necessary 365 days Records the default button state of the corresponding category. It works only in coordination with the primary cookie.
cookielawinfo-checkbox-non-necessary 365 days Same as above
viewed_cookie_policy 365 days Is the primary cookie that records the user consent for the usage of the cookies upon ‘accept’ and ‘reject’. It doesn’t track any personal data and is set only upon user action(accept/reject).
__stripe_mid 365 days Used to provide fraud prevention.
_ga 407 days This cookie is a Google Analytics persistent cookie which is used to distinguish unique users.
_gat 365 days This cookie is used to throttle request rate. These are third party cookies that are placed on your device to allow us to use the Google Analytics service. These cookies are used to collect information about how visitors use our website. We use this information to compile reports and to help us improve the website.
_gcl_au 365 days This cookie is used by Google Adsense to track and store conversions.

 

The GDPR grants you certain rights (‘information rights’) which we summarise below:

Right of access and of data portability. You have the right of access to information we hold about or concerning you and/or to have it transferred to another data controller in some circumstances.  If you would like to exercise this right you should contact our Data Protection Lead.
Right of rectification or erasure. If you feel that any data that we hold about you is inaccurate you have the right to ask us to correct or rectify it.  You also have a right to ask us to erase information about you where you can demonstrate that the data we hold is no longer needed by us, or if you withdraw the consent upon which our processing is based, or if you feel that we are unlawfully processing your data.  Your right of rectification and erasure extends to anyone we have disclosed your personal information to and we will/shall take all reasonable steps to inform those with whom we have shared your data about your request for erasure.
Right to restriction of processing. You have a right to request that we refrain from processing your data where you contest its accuracy, or the processing is unlawful and you have opposed its erasure, or where we don’t need to hold your data anymore, but you need us to in order to establish, exercise or defend any legal claims, or we are in dispute about the legality of our processing your personal data.
Right to object. You have a right to object to our processing of your personal data where the basis of the processing is our legitimate interests including but not limited to direct marketing, wealth screening and profiling.
Right to Withdraw Consent. You have the right to withdraw your consent for the processing of your personal data where the processing is based on consent.  To withdraw consent please select the unsubscribe option in the most recent electronic communication you have received that you wish to unsubscribe from, alternatively you can call us on 01628 823524.
Right of Complaint. You also have a right to lodge a complaint about any aspect of how we are handling your data with the UK’s Information Commissioner’s Office who can be contacted at www.ico.org.uk.

If you would like to find out more about your rights, please contact our Data Protection Lead at data@nras.org.uk.

If you are not happy about something or would like to complain please contact our Data Protection Lead at data@nras.org.uk in the first instance so we can do our utmost to resolve your complaint.

If the Data Protection Lead is unable to resolve your complaint it will be escalated to senior management. If is it still unresolved you have the right to make a complaint with the Information Commissioner’s Office via https://ico.org.uk/.

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.