When You Wish Upon a Star has a simple mission to grant the Wishes of children living with a life threatening illness. Our Wishes have the power to transform the lives of the children and families we work with and since 1990 we have proudly granted over 17,500 Wishes across the UK.

We use a database to securely hold your data on file. We will only place the information you have provided to us on our database and we only keep the data for as long as we need it, it is then deleted. Our database supplier is The Access Group. For more information please visit their website https://www.theaccessgroup.com

When you provide your personal details to us we use your information for legitimate charity interests to continue on providing Wishes across the UK. Before doing this, we will also carefully consider and balance any potential impact on you and your rights.

We will send postal marketing and fundraising packs which further the aims of our charity. We will also ensure our postal marketing is relevant for you and tailored to your interests. When we process your personal information for our legitimate interests, we will consider and balance any potential impact on you and your rights under data protection and any other relevant law. Our legitimate interests do not automatically override your interests – we will not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).

Remember, you can change the way you hear from us or withdraw your permission for us to process your personal details at any time by contacting us on 01159 791 720 or email head.office@whenyouwish.org.uk .

We shall only ever use your information where we have a legal basis and will always respect your rights.Where we use your information, it may be because you have consented to us doing so or because we believe we have a legitimate interest to do so.

Where we do rely on a legitimate interest to use your information, we will always ensure this is conducted in a way that is not intrusive or does not cause any distress.

We may also use your information because we have a legal obligation to do so or because we need to fulfil a contractual obligation.

Some examples of what we mean by this include:

• You have given us your consent to use the information for a specified purpose, such as sending you marketing emails.
• We have a legal obligation to use your information, for example to claim Gift Aid.
• We need to use your information to fulfil a contract with you – such as providing an auction prize.
• We are using your information in pursuit of a legitimate interest, for example writing to you to tell you about our Wishes and ask for your support in helping us grant Wishes.

Other reasons include:

• To pursue our charitable purpose
• To raise vital funds for our work
• To ensure we meet our regulatory requirements
• To manage our ongoing relationship with our supporters and anyone we work with
• To manage our financial transactions and prevent fraud

You have the right to request all “searchable data” we hold on our records for you. To do so please contact us on 01159 791 720 or email head.office@whenyouwish.org.uk

If you no longer want us to hold your data on our records please contact us on 01159 791 720 or email head.office@whenyouwish.org.uk to discuss this further.

If you are unhappy with something we have done or failed to do, we want to know so we can rectify this, please contact us on 01159 791 720 or email head.office@whenyouwish.org.uk to discuss this further. You also have the right to contact the ICO to make a complaint.

We do not knowingly collect personal data from children under the age of 13; please do not give us any personal data. If you have reason to believe a child has provided us their personal data, please contact us and we will delete that information from our databases.

A cookie is a small piece of information that is sent to your browser and stored on your computer’s hard drive. Cookies do not damage your computer and they cannot be used to discover the identity of a user. You can set your browser to notify you when you receive a cookie. This enables you to decide if you want to accept it or not and whether you are required to accept the cookie to view certain content.

Credit & Debit Cards
If you use your credit or debit card to donate to us or pay for a registration online or over the phone, we will ensure this is carried out securely and in accordance with the Payment Card Industry Data Security Standard (PCI DSS). You can find out more information about PCI DSS here

We do not store your credit/debit card details following the completion of your transaction. All card details and validation codes are securely destroyed once the payment or donation has been processed. Only staff authorised and trained to process payments will be able to see your card details.

Just Giving
If you have created a Just Giving page or made a donation through Just Giving they will pass your personal information on to us, unless you choose to remain anonymous. We will add this information to our database and may contact you in the future. If you do not want us to do this please contact us on 01159 791 720 or email head.office@whenyouwish.org.uk to discuss this further.

Active Network
If you have registered for an event through Active Network they will pass your personal information on to us, unless you choose to remain anonymous. We will add this information to our database and may contact you in the future. If you do not want us to do this please contact us on 01159 791 720 or email head.office@whenyouwish.org.uk to discuss this further

Virgin Money
If you have created a Virgin Money page or made a donation through Virgin Money they will pass your personal information on to us, unless you choose to remain anonymous. We will add this information to our database and may contact you in the future. If you do not want us to do this please contact us on 01159 791 720 or email head.office@whenyouwish.org.uk to discuss this further.

Charity Aid Foundation (CAF) / Give As You Earn
If you have made a donation through CAF they will pass your personal information on to us, unless you choose to remain anonymous. We will add this information to our database and may contact you in the future. If you do not want us to do this please contact us on 01159 791 720 or email head.office@whenyouwish.org.uk to discuss this further.

Charitable Giving
If you have made a donation through Charitable Giving they will pass your personal information on to us, unless you choose to remain anonymous. We will add this information to our database and may contact you in the future. If you do not want us to do this please contact us on 01159 791 720 or email head.office@whenyouwish.org.uk to discuss this further.

PayPal Giving
If you have made a donation through PayPal Giving they will pass your personal information on to us, unless you choose to remain anonymous. We will add this information to our database and may contact you in the future. If you do not want us to do this please contact us on 01159 791 720 or email head.office@whenyouwish.org.uk to discuss this further.

Standing Orders
If you have set up a Standing Order to make a personal donation to use we will add your personal information to our database and may contact you in the future. Your banking information will be held by our bank, Nat West, as we require this to process the Standing Order. If you do not want us to do this please contact us on 01159 791 720 or email head.office@whenyouwish.org.uk to discuss this further.

Postal Donations
If you send us a cheque, cash or postal order and a covering letter which contains your personal data we will simply add the data to our database in order to issue you with a Thank You letter. The cheque, cash or postal order will be banked in the normal way. If you send us a cheque, cash or postal order with no personal data we will just bank the donation.

In Person Donation
If you visit our offices and wish to make a donation in person we will request your personal details in order to add you to our database and issue you with a Thank You letter. If you do not want to do this please inform us and we will simply process your donation without taking your personal data.

As a person under the age of 13 if you use this site for information about raising money for us or helping When You Wish Upon a Star, please let an adult know. Please do not give us any of your information such as your name, date of birth or address as we can’t keep it on our records. If you want more information on this privacy policy please ask an adult to explain it to you.

When You Wish Upon a Star have a simple aim, to grant the Wishes of children living with a life threatening illness. Since 1990 we are happy to say we have granted over 17,500 Wishes to children and their families across the UK.

When someone makes a donation to us we require information from them. This could be their name, address and, sometimes, bank account information. We won’t share this information without permission and will always ensure the information is kept safe.

If you or someone else is unhappy with something we have done or have not done we want to know so we can correct this. Please get an adult to contact us so we can help and correct the problem.

This policy describes the arrangements for ensuring the Charity’s compliance with the requirements of the GDPR 2018 covering collection, usage, disclosure, retention and disposal of personal data across the full scope of operational practice. The arrangements commence the moment the information is obtained until the time the information is returned, deleted or destroyed.

The responsibilities and arrangements expressed in this policy apply to all employees (including agency and contract workers) when conducting work on behalf of the Charity at any location.

This policy should be read in conjunction with the Charity’s Ethical Fundraising Policy (and associated forms), and the Fundraising Practise Staff Handbook.

It is the intention of the Charity to establish and maintain personal data processing arrangements which comply with the GDPR

The Charity will ensure that personal data is:

• Only collected when the individual to whom it relates has consented
• Necessary in relation to a contract, a request or a legal obligation or another legitimate reason
• Provided by the individual or another legally authorised individual or body
• Limited to what is relevant and appropriate
• Processed fairly and lawfully taking into account the specific requirements in relation to sensitive data to obtain explicit written consent
• Used only for its intended and limited use
• Captured and stored securely
• Maintained in a current and accurate state
• Only processed in accordance with the rights of the individual
• Retained no longer than is necessary
• Returned, deleted or destroyed confidentially

The Charity will uphold the rights of all data subjects to:

• Provide, deny or withdraw consent for the Charity to collect, use and retain personal data
• Know who is processing what personal information
• Know to whom the information may be disclosed
• Receive a copy of the personal information held
• Know the source of the information provided
• Request access to his/her personal information
• Have misinformation corrected or removed
• Request information causing distress to be removed

Data Subjects

Employees

• Only personal information essential to making an offer of appointment decision is collected during the recruitment process. Unsuccessful candidate data is retained electronically for 6 months following completion of the exercise and then deleted from the network. Hard copies are destroyed by shredding.
• Employees give consent for the Charity to hold relevant personal data when signing the Contract of Employment.
• Both a hard and soft copy version of a personnel record is created for all new employees. The employee provides essential personal information during the induction process. An explanation is provided as to the purpose and usage of the information. The employee is also made aware of his/her right to request access to the information and to have any inaccurate or out of date information corrected or removed.
• Health records and Criminal Disclosures Reports are stored in the hard copy version of the personnel file.
• Essential personal data is shared with data processors as necessary. RBS Mentor (HR employment records) and Bureau Two (Payroll services)
• Hard copy records are kept in a locked cabinet and are not removed from the Head Office site.
• Electronic records are password protected and stored on a secured network on the data processors’ sites.
• Only the General Manager and Deputy Manager have access to the personal data (hard and electronic versions) and log on rights to the data processing sites, limiting the risk of unlawful and unauthorised use or disclosure.
• Certain information is recorded on central electronic management systems for monitoring and reporting purposes (e.g., absence). These systems are subject to the Charity’s IT security arrangements (see IT Security) and only the General and Deputy Manager and the Administrative Assistant have access to the folder.
• Other than where the Charity is legally obligated to comply, no information is provided to an external source without the individual’s express (written) request or permission.
• On termination of the contract of employment the personnel file is retained indefinitely.

Trustees and Volunteers

Only the individual’s contact details and DBS declaration report are held by the Charity relating to the Charity’s Trustees and Volunteers. These records are stored, managed and destroyed in accordance with the arrangements for employees’ records.

Sponsors, Donors and Wish Families

The personal details of these three groups of data subjects are held in soft copy format only, on a networked CRM tool (ThankQ). The system allows for the different categories of information to be segregated and user access is limited at the individual role level such as fundraisers, Wish granters and managers.

Suppliers

Due to the nature of the Charity’s business operation, no supplier personal data is subject to the DPA compliance arrangements.

Building & Office Security

All premises have restricted access via an appropriate access control system. Key holding at each location is strictly limited to no more than 3 people at each site.

Clearly displayed notices make staff and visitors aware of the presence and location of CCTV cameras at the Nottingham site. The CCTV cameras are solely an access security measure and are not used to monitor or track employee activity.

Visitors are accompanied at all times by a member of staff when on Charity premises. Visitors, Trustees and Volunteers do not have access to the Charity’s IT network. However, arrangements can be made for Trustees who request permission (in advance) to work at one of the Charity’s locations.

Credit Card Machines

The Charity participates in an annual compliance test to ensure that data is handled in accordance with statutory and good practise rules.

IT Security

All personal data is stored on secure server in a secured server room at the Charity’s head office location. The Charity does not engage in any cloud based or off shore based products, at this time. The Charity employs an external service provider, Bramatt Computing to provide day to day IT support. All data supplied to Bramatt Computing is stored on a secure server in a security controlled server room. Access to the Bramatt Computing based facility is limited to the two Company Directors. Bramatt Computing do not perform any data transfers on behalf the Charity

Security arrangements at the user level include:

• Dedicated workstation for each user.
• Workstations are locked when users away from desk
• Access to the network and applications on the network or password protected
• Work stations all equipped with virus protection
• Laptops and mobile phones only issued when deemed required
• Remote workers access the Charity’s hosted server/network via Remote Access application
• Visitors have no access to the Charity’s IT network

The Charity will endeavour at all times, wherever reasonably practicable, to comply with the ICO’s Code of Good Practise in regard to data sharing and undertakes in all cases to consider the legal implications of sharing data before doing so.

The Charity engages in two main types of data sharing:

• The systematic, routine data sharing with Data Processors
• Exceptional, one-off decisions to share data for a range of purposes.

The Charity will ensure:

• A written contract (and/or Protocol) exists between the two parties
• The Processor only acts on the instructions provided by the Charity
• The Processor has adequate and appropriate security arrangements in place, that as a minimum satisfy Principle 8 of the DPA.
• The Processor is registered with the ICO (if applicable)

When sharing sensitive data which may be unexpected or objectionable to the individual, the Charity will issue a ‘privacy notice’; written confirmation of who we are, why the data is to be shared and with whom it is to be shared.

A Privacy Notice will not be issued when the purpose for sharing the data relates to the prevention or detection of a crime, apprehension or prosecution of an offender or for the access or collection of tax/duty.

The Charity shall take all reasonable measures to ensure that promotional material is not sent to people who do not wish to receive it.

These measures include:

• Inclusion of ‘opt in’ boxes for all channels of communication
• Appropriate screening against the Telephone Preference Service (TPS) and the Mailing Preference Service (MPS) as standard practice
• Control and compliance in regard to direct marketing calls
• Regular and routine reviews of preferences will be undertaken every 18 months
• Ensuring all staff receive training appropriate to their level of responsibility

The Charity does not use data matching and tele appending services. In the unlikely event the use of these services is essential, the Charity will ensure explicit, informed consent is obtained from the data subjects before doing so.

As a general rule, the individual is responsible for notifying the Charity of any changes in his/her personal circumstances. Change notifications are actioned within 2 working days of receipt.

In addition, the Charity will conduct an audit of personal data held against each category of data subjects on a rolling basis.

All data subjects have the right to request access to their personal information held by the Charity. In normal circumstances the SAR should be submitted in writing (email or fax will suffice) to the General Manager. The General Manager will respond to the request within 40 days of receipt. The Charity reserves the right not to accede to a SAR if disclosing the requested information constitutes a breach the rights of another individual or if the request is made within an unreasonable timeframe of or a previous request.

Data pertaining to a child (regardless of their age) legally belongs to the child. Whilst it is normal for a parent or guardian to make the request on the child’s behalf, the Charity reserves the right to respond directly to the child - if the child is considered to be suitably mature to understand his/her rights.

Hard copy records are destroyed by shredding. Soft copy records are deleted from the relevant data base and the data processor is advised accordingly.

The Charity will investigate any concern or complaint raised by a member of the public in regard to how their personal data has been processed and provide a written response in the shortest time possible. The response will detail the investigative steps taken and provide clarification on how the individual’s personal information has been processed. Where appropriate, the response will also detail the steps taken/to be taken to put right any shortfall in performance against the expectations of the individual’s rights.

If the member of the public remains dissatisfied with the outcome of the proceedings, they will be informed of their right to escalate their concern to the ICO.

All staff will be made aware of the Charity’s arrangements in regard to GDPR compliance on commencement of their employment and made aware of changes to the arrangements as required thereafter.