This policy describes how and why Cancer Research UK uses your personal information, how we protect your privacy when doing so, and your rights and choices regarding this information. We promise to respect any of your personal information which is under our control and to keep it safe. We aim to be clear when we collect your information about what we will do with it.
We are a large charity with relationships with thousands of fundraisers, volunteers, supporters and researchers, so we use personal information on a day to day basis in order to operate. Our use of personal information allows us to make better decisions, fundraise more efficiently and, ultimately, helps us to reach our goal of enabling three in four people to survive a cancer diagnosis by 2034.
This policy was last updated on 28th March 2022.
Who we are
- Cancer Research UK (registered charity in England and Wales (1089464), Scotland (SC041666) and the Isle of Man (1103), a company limited by guarantee in England (4325234) and the Isle of Man (5713F)); and
- its group companies Cancer Research UK Trading Limited (company number 4355631 in England) and Cancer Research Technology Limited (company number 01626049 in England).
We collect information in the following ways:
Information you provide to us directly
You may give us your information in order to sign up for one of our events, make a donation, purchase our products, register as a volunteer, media volunteer or ambassador for us, join our patient involvement network, apply for research funding, use our cancer information services or otherwise communicate with us.
In addition, in accordance with common website practice, we will receive information about the type of device you’re using to access our website or apps and the settings on that device may provide us with information about your device, including what type of device it is, what specific device you have, what operating system you’re using, what your device settings are, and why a crash has happened. Your device manufacturer or operating system provider will have more details about what information your device makes available to us.
Information you provide to us indirectly
Your information may be shared with us by third parties, for example:
- if a friend or family member signs you up for one of our events
- professional fundraising agencies;
- independent event organisers, for example the London Marathon or fundraising sites like Just Giving, Facebook donations or Virgin Money Giving;
- if you sign up as a volunteer for us through a Job Centre or external volunteering website;
- if you are a researcher and your information is shared with us by the principal investigator or institution.
We also may receive data about you from subcontractors acting on our behalf who provide us with technical, payment or delivery services, and from business partners, advertising networks and search/analytics providers used on our website.
Information from other sources
We also use information from the following sources:
Communication, engagement and actions taken through external social media platforms that we participate on are subject to the terms and conditions as well as the privacy policies held with each social media platform respectively.
Depending on your settings or the privacy policies for social media and messaging services like Facebook, WhatsApp or Twitter, you might give us permission to access information from those services, for example when you publicly tag us in an event photo.
You are advised to use social media platforms wisely and communicate / engage upon them with due care and caution in regard to your own privacy and personal details.
Information available publicly
We supplement information on our supporters with information from publicly available sources such as charity websites and annual reviews, corporate websites, public social media accounts, the electoral register and Companies House in order to create a fuller understanding of someone’s interests and support of CRUK. For more information, please see our section on “Building profiles of supporters” below.
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We collect, store and use the following kinds of personal information:
- your name;
- your contact details (including postal address, telephone number, e-mail address and/or social media identity);
- your date of birth;
- your gender;
- your bank or credit card details where you provide these to make a payment;
- if you volunteer for us or apply for a job with us, information necessary for us to process these applications and assess your suitability (which may include things like employment status, previous experience depending on the context, as well as any unspent criminal convictions or pending court cases you may have);
- if you apply for research funding, information necessary to process your application, such as your employment history; the employment history of individuals who will be working on the grant, including any allegations of bullying or harassment and salary information for anyone who’s salary will be funded by the grant;
- information about your activities on our website(s) or social media platforms when you interact with us, and about the device you use to access these, for instance your IP address and geographical location;
- information about events, activities and products which we consider to be of interest to you;
- information relating to your health (for example if you are taking part in or attending an event for health and safety purposes, as well as where you share your experiences of cancer with us);
- where you have left us a legacy, any information regarding next of kin with which you may have provided us to administer this;
- information as to whether you are a taxpayer to enable us to claim Gift Aid;
- age, nationality and ethnicity information for monitoring purposes; and
- any other personal information you provide to us.
Certain types of personal information are in a special category under data protection laws, as they are considered to be more sensitive. Examples of this type of sensitive data (known as “special category data”) would be information about health, race, religious beliefs, political views, trade union membership, sex life or sexuality or genetic/biometric information.
We only collect this type of information about our supporters to the extent that there is a clear reason for us to do so, for example asking for health information if you are taking part in a sporting event, or where we ask for information for the purpose of providing appropriate facilities or support. We will also collect this type of information if you make it public or volunteer it to us – for instance if you tell us you have cancer when applying for an Ambassador role, call our Cancer Information Nurses or use our Cancer Chat service.
Wherever it is practical for us to do so, we will make clear why we are collecting this type of information and what it will be used for.
As a large organisation, carrying out many different tasks we use personal data for a wide number of purposes. We will use personal information to:
- provide you with the services, products or information you asked for;
- administer your donation or support your fundraising, including processing Gift Aid;
- keep a record of your relationship with us;
- respond to or fulfil any requests, complaints or queries you make to us;
- understand how we can improve our services, products or information by conducting analysis and market research;
- manage our events;
- check for updated contact details against third party sources so that we can stay in touch if you move (see “Keeping your information up to date” below);
- to protect the health and safety of you, our staff, volunteers and other members of the public (also see “Covid Track & Trace” below)
- further our charitable objectives;
- register, administer and personalise online accounts when you sign up to products we have developed;
- send you correspondence and communicate with you, using traditional channels and via social media platforms
- process applications for funding and for administration of our role in the projects we fund;
- monitor the appropriate use of grant funds, including expenditure on individual salaries, and consider any virement requests
- ensure that participants involved in CRUK research are treated with dignity and respect
- if you are or have been a CRUK-funded researcher, invite you to act as a peer reviewer on grant applications in accordance with the conditions of your grant
- administer our websites and to troubleshoot, perform data analysis, research, generate statistics and surveys related to our technical systems;
- test our technical systems to make sure they are working as expected;
- contact you if enter your details onto one of our online forms, and you don’t ‘send’ or ‘submit’ the form, to see if we can help with any problems you may be experiencing with the form or our websites;
- display content to you in a way appropriate to the device you are using (for example if you are viewing content on a mobile device or a computer);
- generate reports on our work, services and events;
- safeguard our staff and volunteers;
- conduct due diligence and ethical screening;
- Identify potential supporters, donors, researchers or other partners;
- monitor website use to identify visitor location, guard against disruptive use, monitor website traffic, personalise information which is presented to you and/or to provide you with targeted advertisements;
- process your application for a job or volunteering position;
- conduct training and quality control;
- audit and administer our accounts;
- meet our legal obligations, for instance to perform contracts between you and us, or our obligations to regulators, government and/or law enforcement bodies;
- carry out fraud prevention and money laundering checks;
- undertake credit risk reduction activities; and/or
- establish, defend or enforce legal claims.
Cancer Information Services
We run services to provide support to individuals affected by cancer, and collect personal information in order to provide those services, this includes our Cancer Information Nurses and our online forum, Cancer Chat.
Cancer Information Nurses may receive personal information about your health when you speak, email or contact them by post. They will use this information to answer your questions. Your questions will be recorded for training, quality monitoring and evaluating the services we provide and will be stored securely. Information you provide to the nurses will not be used for marketing purposes and will not be passed to anyone else without your express permission or in cases where this is required by the nurses’ professional code of conduct or the law.
Cancer Chat asks you to provide your email address when you register and may contact you about administrative issues and changes to the forum. With your consent, we may also use your email address to send you information about our work. We advise users to be careful not to post information which would allow them or others to be identified by other forum users, however some users may choose to do so. We may also collect and retain your information if you send feedback about our services or make a complaint.
Building profiles of supporters and potential supporters
At Cancer Research UK, our life-saving work is only made possible thanks to the generosity of our supporters – so it’s vital that our fundraising efforts are as effective as they can be. By developing a better understanding of our supporters through researching them using publicly available sources we can tailor and target our fundraising events and communications (including volunteering opportunities) to those most likely to be interested in them. This allows us to be more efficient and cost-effective with our resources, and also reduces the risk of someone receiving information that they might find irrelevant, intrusive or even distressing.
We may also obtain information about potential donors or individuals who might want to support us by fundraising or by speaking about their experience with cancer where these have been shared publicly, where they have not previously provided us with information.
What information do we collect?
We use information we hold about our supporters and potential supporters to research their potential to be a significant donor or volunteer fundraiser for CRUK and collect additional details relating to their employment and any philanthropic activity. We may also estimate their gift capacity, based on their visible assets, history of charitable giving and how connected they are to CRUK.
Which information do we use?
We use data which has been provided directly to CRUK and combine this with information from publicly available sources such as charity websites and annual reviews, corporate websites, public social media accounts, the electoral register and Companies House in order to create a fuller understanding of someone’s interests and support of CRUK. We only use reputable sources, where someone would expect their information may be read by the public. We avoid any data that we believe has not been lawfully or ethically obtained, and we do not use information sources which have not been made public.
We’re committed to putting you in control of your data and you’re free at any time to opt out from this activity. To find out more, please contact 0300 123 3379 or firstname.lastname@example.org.
Our use of personal data for digital advertising and sharing content
We use your personal data to tailor the marketing you see on websites, apps, social media and advanced TV, and to measure it's effectiveness. This may be via Social Plugins (e.g. Like and Share buttons) or by providing the 3rd party platform with a list of email addresses or phone numbers which they use to target individuals with, or exclude them from seeing, our advertisements. We will only include supporters in these lists if they have opted in to receiving our marketing.
The contract terms, under which they act as our processor for this purpose, do not permit them to make any further use of the details we provided. Data is deleted once it is no longer in use.
We believe we have a legitimate interest in customising our social media communications in this way. If you do not wish us to do so, you can always tell us not to share your information with 3rd party platforms by contacting us at 0300 123 3379 or email@example.com. You can also change your settings on social media, apps and advanced TV platforms to stop this kind of targeting from specific or from all advertisers.
Our use of Google Analytics for targeted advertising
We work with Google Analytics to bring you targeted advertising about our work and to improve your experience on our website.
To do this we upload information about you to Google Analytics, for example, your age and gender. We use technical and organisational measures that are recognised by the Information Commissioner’s Office to ensure the safeguarding of this information.
We will only upload information about people who have signed up to one of our events, such as, Race for Life. We will never use information that can identify you directly, for instance, your name or address.
Google Analytics act as our processor, this means that they are not legally allowed to do anything further with the information we upload, other than provide you with targeted advertising about our work.
We believe we have a legitimate interest in bringing you targeting advertising about our work and to try and improve your experience on our website.
Covid-19 Track and Trace
In some circumstances, for example if you visit one of our shops, offices or labs, we will need to collect your contact information to support the tracing of Covid-19 infections.
We will use this data to fulfil our health and safety responsibilities including:
- Identifying if members of staff/volunteers have to self-isolate
- Closing and deep cleaning shops
- To make sure others with whom you have been in close contact (as defined by government guidance) can be informed if there is a positive case of Covid-19 (coronavirus).
Under the General Data Protection Regulation, we must determine the legal basis for processing. The legal bases for processing this data will be:
- Article 9(2)(g) Where it is necessary for the reasons of substantial public interest
- Article 9(2)(b) Where it is necessary for the reasons of Employment, social security and social protection law
In this current pandemic we may share your information with other public authorities, emergency services, and other stakeholders as necessary and where it is proportionate to do so.
We will only keep the personal data collected for 21 days from collection as advised by the UK Government. Guidance from the UK Government. Where we do not need to continue to process your personal data, it will be securely destroyed
We think it’s important to let our supporters know how their money is being spent and to say thank you for their generosity. We send information to individuals who have supported us to say thank you and provide updates on our work. We will tailor the amount and type of these communications depending on the ways in which you have provided support, for example the volunteers in our shops will receive more regular and detailed updates.
If you ask for details of, or register for, a CRUK event or fundraising activity, we will send you information including, where relevant, ideas for fundraising, key information about the activity and reminders to submit any money raised.
Where you have signed up for an event with a third party (for example the London Marathon) and told the event organiser that you wish to fundraise for us, we may contact you with information and support for your fundraising for that event.
If you take part in a CRUK or third party event, we may contact you to let you know that the event is happening again and how you can register, unless you have specifically opted out of further marketing.
Being able to contact previous supporters to ask them to consider supporting us again is a very cost effective way of raising funds. Our marketing communications include information about our latest breakthroughs, campaigns and lifesaving work and requests for donations or other support. Occasionally, we may include information from partner organisations or organisations who support us in these communications. When you provide your details to us, you will be asked to opt in or opt out of receiving marketing.
We may use information we hold about you, for example the record of your previous donations to and/or relationship with us, your location and demographics, as well as the type of activity you have been involved with, to tailor our communications with you about future activities.
If you’ve decided you don’t want to be contacted for marketing purposes, we may still need to contact you for administrative purposes. This may include where we are processing a donation you’ve made and any related Gift Aid, thanking you for a donation or participation in an event, or keeping in touch with you about volunteering activities you are doing for us.
We will never sell or rent your information to third parties for marketing purposes.
Managing your contact preferences
We make it easy for you to tell us how you want us to communicate, in a way that suits you. Our forms have clear marketing preference questions and we include information on how to opt out when we send you marketing. If you don’t want to hear from us, that’s fine, and you can change your preferences at any time. Just let us know when you provide your data or contact us on 0300 123 3379 or firstname.lastname@example.org.
Data protection laws mean that each use we make of personal information must have a “legal basis”. The relevant legal bases are set out in the General Data Protection Regulation (EU Regulation 2016/679) and in current UK data protection legislation.
Consent is where we ask you if we can use your information in a certain way, and you agree to this (for example when we send you marketing material via post, phone, text or e-mail). Where we use your information for a purpose based on consent, you have the right to withdraw consent for any future use of your information for this purpose at any time.
We have a basis to use your personal information where we need to do so to comply with one of our legal or regulatory obligations. For example, in some cases we may need to share your information with our various regulators such as the Charity Commission, Fundraising Regulator, Information Commissioner or Gambling Commission, or to use information we collect about you for due diligence or ethical screening purposes.
Performance of a contract / take steps at your request to prepare for entry into a contract
We have a basis to use your personal information where we are entering into a contract with you or performing our obligations under that contract. Examples of this would be if you are buying something from us (for instance some branded merchandise or an event place), applying to work/volunteer with us, or being funded to undertake research.
We have a basis to use your personal information where it is necessary for us to protect life or health. For instance if there were to be an emergency impacting individuals at one of our events, or a safeguarding issue which required us to contact people unexpectedly or share their information with emergency services.
We have a basis to use your personal information if it is reasonably necessary for us (or others) to do so and in our/their “legitimate interests” (provided that what the information is used for is fair and does not unduly impact your rights).
We consider our legitimate interests to include all of the day-to-day activities Cancer Research UK carries out with personal information. Some examples not mentioned under the other bases above where we are relying on legitimate interests are:
- analysis and profiling of our supporters or potential supporters;
- updating your address using third party sources if you have moved house (please see the “Keeping your information up to date” section below for more on this).
- use of personal information when we are monitoring use of our website or apps for technical purposes;
- use of personal information to administer, review and keep an internal record of the people we work with, including supporters, volunteers and researchers;
- sharing of personal information between relevant teams and committees within Cancer Research UK and between Cancer Research UK’s group companies and fundraising partners;
- where you have signed up with us on a charity place for a third party event (for example a sponsored run not organised by Cancer Research UK), sharing personal information with the third party event organiser so they can administer the event.
We only rely on legitimate interests where we consider that any potential impact on you (positive and negative), how intrusive it is from a privacy perspective and your rights under data protection laws do not override our (or others’) interests in us using your information in this way.
When we use special category personal data (please see the “What personal information we collect” section above), we require an additional legal basis to do so under data protection laws, so will either do so on the basis of your explicit consent or another route available to us at law for using this type of information (for example if you have made the information manifestly public, we need to process it for employment, social security or social protection law purposes, your vital interests, or, in some cases, if it is in the public interest for us to do so).
We ensure that there are appropriate technical and organisational controls (including physical, electronic and managerial measures) in place to protect your personal details. For example our online forms are always encrypted and our network is protected and routinely monitored.
Some of our suppliers run their operations outside the United Kingdom, including within the European Economic Area (EEA). This includes countries which do not have the same data protection laws as in the UK. In these circumstances, we will make sure they provide an adequate level of protection in accordance with UK data protection law, and confirm that appropriate safeguards are in place.
We take into account various criteria when determining the appropriate retention period for personal data including:
- the purposes for which we process your personal data and how long we need to keep the data to achieve these purposes;
- how long personal data is likely to remain accurate and up-to-date;
- for how long the personal data might be relevant to possible future legal claims;
- any applicable legal, accounting, reporting or regulatory requirements which specify how long certain records must be kept.
We may share your information with organisations with whom we undertake joint fundraising campaigns. This may be to ensure that our supporters are not contacted by both organisations, to enable us to assess the success of our activity or to facilitate due diligence where large donations are made to a particular cause.
Examples include The American Friends of Cancer Research UK, Channel 4 (for Stand Up to Cancer), The Francis Crick Institute, Manchester University and The Christie Hospital. We will always conduct a legitimate interest assessment where we do so, and aim to make it clear when collecting personal data that this may be shared.
We will never sell or rent your information to third parties for marketing purposes.
We may also disclose your information to third parties in connection with the other purposes set out in this policy. These third parties may include:
- business partners, suppliers and sub-contractors who may process information on our behalf;
- if you are a researcher, volunteer advisory panels, any joint funders of research, host institutions and external members of our committees;
- if you are a legacy giver, we may share information with co-beneficiaries;
- advertisers, social media platforms and advertising networks
- analytics and search engine providers;
- IT service providers.
Where we are under a legal or regulatory duty to do so, we may disclose your details to the police, regulatory bodies or legal advisors, and/or, where we consider this necessary, to protect the rights, property or safety of Cancer Research UK, its personnel, visitors, users or others.
We reserve the right to disclose your personal information to third parties:
- if we sell or buy any business or assets, in which case we may disclose your personal information to the prospective seller or buyer of such business or assets; and/or
- if substantially all of our assets are acquired by a third party, personal information held by us may be one of the transferred assets.
We may use information from external sources such as the post office national change of address database and/or the public electoral roll to identify when we think you have changed address so that we can update our records and stay in touch. We only use sources where we are confident that you’ve been informed of how your information may be shared and used.
We do this so we can continue to contact you where you have chosen to receive marketing messages from us and contact you if we need to make you aware of changes to our terms or assist you with problems with donations.
This activity also prevents us from having duplicate records and out of date preferences, so that we don’t contact you when you’ve asked us not to.
We’re committed to putting you in control of your data and you’re free at any time to opt out from this activity. To find out more, please contact 0300 123 3379 or email@example.com.
We really appreciate it if you let us know if your contact details change.
Under UK data protection law, you have rights over personal information that we hold about you. We’ve summarised these below:
Right to access your personal information
You have a right to request access to the personal data that we hold about you. You also have the right to request a copy of the information we hold about you, and we will provide you with this unless legal exceptions apply.
If you want to access your information, send a description of the information you want to see by post to Supporter Services, Cancer Research UK, PO Box 1561, Oxford, OX4 9GZ or by email to firstname.lastname@example.org
Right to have your inaccurate personal information corrected
You have the right to have inaccurate or incomplete information we hold about you corrected. If you believe the information we hold about you is inaccurate or incomplete, please provide us with details and we will investigate and, where applicable, correct any inaccuracies.
Right to restrict use of your personal information
You have a right to ask us to restrict the processing of some or all of your personal information in the following situations: if some information we hold on you isn’t right; we’re not lawfully allowed to use it; you need us to retain your information in order for you to establish, exercise or defend a legal claim; or you believe your privacy rights outweigh our legitimate interests to use your information for a particular purpose and you have objected to us doing so.
Right to erasure of your personal information
You may ask us to delete some or all of your personal information and in certain cases, and subject to certain exceptions, you have the right for this to be done. If we are unable to delete your information, we will explain why this is the case.
Right for your personal information to be portable
If we are processing your personal information (1) based on your consent, or in order to enter into or carry out a contract with you, and (2) the processing is being done by automated means, you may ask us to provide it to you or another service provider in a machine-readable format.
Right to object to the use of your personal information
If we are processing your personal information based on our legitimate interests or for scientific/historical research or statistics, you have a right to object to our use of your information.
If we are processing your personal information for direct marketing purposes, and you wish to object, we will stop processing your information for these purposes as soon as reasonably possible.
If you want to exercise any of the above rights, please contact us on Supporter Services, Cancer Research UK, PO Box 1561, Oxford, OX4 9GZ or by email to email@example.com. We may be required to ask for further information and/or evidence of identity. We will endeavour to respond fully to all requests within one month of receipt of your request, however if we are unable to do so we will contact you with reasons for the delay.
Please note that exceptions apply to a number of these rights, and not all rights will be applicable in all circumstances. For more details we recommend you consult the guidance published by the UK’s Information Commissioner’s Office (ICO).
If you are unhappy with any aspect of how we are using your personal information we’d like to hear about it. We appreciate the opportunity this feedback gives us to learn and improve. You can find out more and read our Complaints Policy on our web pages.
You also have the right to lodge a complaint about any use of your information with the Information Commissioners Office, the UK data protection regulator.
If you have any questions, comments or suggestions, please let us know by contacting our Supporter Services team at firstname.lastname@example.org or by phone on 0300 123 1022.
Cancer Research UK also has a Data Protection Officer, who can be contacted at:
The Data Protection Officer
Cancer Research UK
2 Redman Place