Privacy Policy

Operation Smile United Kingdom is committed to protecting personal information and being transparent about what information we hold on anyone who has been in contact with Operation Smile.

This Privacy policy describes how and why Operation Smile collects and uses your personal information; how we protect your privacy when doing so and highlights your rights and choices relating to this information. We understand that privacy is a human right that benefits us all. Using data fairly and securely is important to us.

Operation Smile is an international medical volunteer-based charity dedicated to improving the lives of children with cleft worldwide. We have provided hundreds of thousands of safe surgeries for those born with cleft lip and cleft palate worldwide since being formed.

In this policy ‘Operation Smile’, ‘Operation Smile United Kingdom’, ‘OSUK’, ‘we’, ‘us’ or ‘our’ means:

  • Operation Smile United Kingdom, a registered charity in England and Wales (no. 1091316) and company limited by guarantee (no. 04317039)
  • Registered address is: Unit A, Genoa House, Juniper Drive, London, SW18 1FY

We are a Data Controller, registered with the Information Commissioner’s Office (ICO) (Registration Number ZA214541).

This Privacy applies to all information which is obtained and processed by Operation Smile and for which Operation Smile is the Data Controller.

The purpose of having a Privacy and Cookies Policy is to give a clear explanation about why and how Operation Smile United Kingdom collects and uses any personal information. We ensure that we follow strict guidelines as per the Data Protection Act 2018 and EU General Data Protection Regulations and Privacy & Electronic Communications Regulations 2018. Our aim is to ensure that by respecting the privacy of our data subjects this will bring about benefits to them and in turn OSUK.

This policy applies to all activities undertaken by OSUK within the UK and abroad. We collect data to meet our objects as stated in its Memorandum and Articles of Association 2011 and defined strategic goals and objectives. The processing of data will be handled securely and sensitively to the best of our abilities and in line with our data classification.

OSUK as Data Controller, and like most website owners, receives and records information from various sources. The type of information we and/or our third-party providers collect depends on the interaction between you and us. This could be when donating, applying for a job/to volunteer or through an online purchase. We gather information through postal communications, visits to our websites or apps, participation with our business/corporate partners, electronic communications, volunteering, and communications through social media. We and/or our third-party providers may also collect information publicly available through third party platforms (such as online social media platforms), online databases, information available publicly or that is otherwise legitimately obtained.

The type of information collected is also related to the interaction. This may include:

  • Your name
  • Bank/card details
  • Postal address or email address
  • Phone number
  • Gender
  • Date of Birth
  • Education
  • Employment History
  • Medical history
  • Tax status/Gift Aid eligibility
  • Consent
  • Mode of communication preference(s)
  • Details of your connection to the charity
  • Key details required if you are applying to be a medical volunteer or other type of volunteer
  • Any other information you provide us

We also collect information through cookies and similar technologies. This information is usually anonymised information such as how you arrived at our website, pages you visited or general location. It may further collect information e.g. the device you use to browse our website or apps, the IP Address and related information, browsing history on our website and apps, how you search our website or if you communicated with us. Personal information is only collected if you for instance apply a ‘remember me’ identification for any reason.

Your information may be shared with us by third parties, which might include:

  • independent event organisers, for example the British 10k and fundraising sites like Just Giving or Virgin Money Giving;
  • professional fundraisers; and
  • subcontractors acting on our behalf who provide us with technical, payment or delivery services, our business partners, advertising networks analytics providers and search information providers.

You should check any privacy policy provided to you where you give your data to a third party.

Operation Smile United Kingdom is the sole owner of any information collected either as an organisation or by third-party on its behalf, web based or not.

We may use your information for several different reasons including:

  • provide you with the services and/or information you asked for
  • process any recruitment enquiry or application including employment, voluntary or paid
  • administer your donation or support your fundraising, including processing Gift Aid
  • keep a record of your relationship with us and your needs, preferences, etc
  • respond to or fulfil any requests, complaints or queries you make to us
  • understand how we can improve our services or information through monitoring, evaluation and research
  • understand who uses our services, to improve the accessibility of our services and to contact you by email for monitoring, evaluation, and research purposes
  • manage our events
  • check for updated contact details against third party sources so that we can stay in touch if you move (see “Keeping your information up to date” below)
  • further our charitable objectives
  • register, administer and personalise online accounts when you sign up to our fundraising events
  • send you correspondence and communicate with you
  • process applications for funding and for administration of our role in the projects we fund
  • marketing and fundraising promotions by use of photographs or videos captured in fundraising events and activities
  • administer our websites and to troubleshoot, perform data analysis, research, generate statistics and surveys related to our technical systems
  • testing our technical systems to make sure they are working as expected
  • contact you if you enter your details onto one of our online forms without ‘sending’ or ‘submitting’ the form, to offer help with any problem you may be experiencing with the form
  • display content to you in a way appropriate to the device you are using (for example if you are viewing content on a mobile device or a computer)
  • generate reports on our work, services and events
  • ask you to help us raise money or to donate through our appeals
  • safeguard our staff and volunteers
  • safeguard our premises and property, including the use of CCTV and entry systems
  • conduct due diligence and ethical screening
  • monitor website use to identify visitor location, guard against disruptive use, monitor website traffic and/or personalise information which is presented to you
  • conduct training and monitoring and evaluation processes
  • audit and administer our accounts
  • meet our legal obligations, for instance to perform contracts between you and us, or our obligations to regulators, government and/or law enforcement bodies
  • carry out fraud prevention and money laundering checks
  • undertake credit risk reduction activities; and/or
  • establish, defend or enforce legal claims.

We collect data based on how we intend to use the data. Below are examples of why we collect and use your data

Direct Marketing and Fundraising

We will contact in line with your preferences to keep you up to date with the latest news and progress we make worldwide with our programs, to ask for additional donations or other forms of support and other updates including events, campaigns, patient stories and other information we deem useful to share.

Our donation forms have clear marketing preference questions which also include how you amend your marketing preferences or may opt out of future marketing

You can inform us of your preferences via the marketing preference questions which you can find on print donation forms, online donation pages and asked when making a phone donation. Alternatively you can let us know by contacting us on 0203 475 5126 or email info.uk@operationsmile.org.

We will not sell, share, or rent this information to others except as in meeting our objectives through for example third party outsource contracts/data processors or to the extent as required by law. Third-party contractors/agents are expected to meet our standards and are required to abide by our policies whenever we share or transfer information as agreed.

Segmenting

We target supporters by type of supporter, levels of giving based on giving history, when the supporter last donated and how engaged the supporter is within certain communication methods.

This approach enables OSUK to better target campaigns and mailings which may be of interest to that individual and get involved.

The approach is not used to identify individuals but instead groups of supporters.

Special Events

We may invite supporters or key stakeholders to certain events OSUK is organising. The approach would involve looking at type of supporters or stakeholders, whether certain individuals have attended events in the past and the geographical location of the supporters or stake holders to determine whom should be invited.

Data Analysis

We will analyse using data such as giving history, type of supporter, frequency of giving, method of giving, geographical information, communication preferences and other information we deem important to the data we are analysing.

This allows us to identify whether a particular campaign has been successful or not, identify key trends and any other key learnings of the donor base which can impact key decisions in relation to marketing and spending funds in order to raise awareness and raise further funds.

Data Matching

We may combine personal information provided to us alongside data obtained from external sources to help better understand the social, demographic, and financial characteristics of our supporters.

This information is used to better meet your needs with regards to more tailored communication or the needs of others like you based on the information we gain from the profile we build.

We will not use this data in any way that might intrude upon an individual’s rights or be considered inappropriate.

Major Donor Analysis

Operation Smile United Kingdom may identify individuals who are deemed a “major donor” or “high level donor”. We identify this by:

  • analysing donors who fall within a specific giving level within a certain time frame or over a lifetime
  • Geographical information we hold on our database
  • Researching an individual and capturing information available publicly
  • Any key information the individual has provided us over time at their own accord

Any supporter who fit the “major donor” or “high level donor” criteria will be targeted with tailored communications, special invites to events and other bespoke communication.

Look-a-Like Audiences

We may also use existing donor data to build “lookalike” audiences, to reach more individuals who might be interested in Operation Smile United Kingdom.

Social Media

You may have given us permission to contact you by using your email address and as such we may use your email address to participate in Facebook’s “Custom Audience” program which allows us to display adverts to existing or new supporters via the Facebook platform.

The email addresses are used to determine whether you are an existing Facebook account holder or not and if you are adverts will be shown via your Facebook feed.

Further information on Facebook’s custom audiences and data policies can be found below:

Automated Decision Making and Profiling

Email

We use an email marketing platform called Mailchimp which assigns email subscribers a score from 1 being the lowest and 5 being the highest. The score represents how engaged an email subscriber is to our email content and this is assigned automatically from Mailchimp. Operation Smile uses this rating to tailor the messaging accordingly, donation amounts we may ask for and frequency of the emails sent to our email subscribers.

Direct Mail and other fundraising approaches

Operation Smile will make decisions on what messaging donors should receive, frequency of mailings and other fundraising campaigns, donation amounts we may ask for, personalised content on what is being sent based on previous giving history and other marketing approaches we feel may be appropriate.

The decisions will be based on how we profile our data which would include profiling donation history and recency of donations.

 

Operation Smile United Kingdom is committed to putting you in control of your data so you are free to opt out of your information being used in any way above by contacting info@operationsmile.org.uk or calling 0203 475 5126.

Data protection laws mean that each use we make of personal information must have a ‘legal basis’. The relevant legal bases are set out in the General Data Protection Regulation (EU Regulation 2016/679) and in current UK data protection legislation.

Specific Consent

This is where we have asked you to provide specified consent to us to use your personal information in a certain way e.g. via telephone, email, or SMS. You have the right to withdraw consent for any future use of your information for this purpose at any time.

Legal Obligation

We may need to collect, process, and disclose personal information to comply with a legal obligation.

These will include third party agencies and regulators such as Charity Commission, Fundraising Regulator, Information Commissioner or HMRC.

Performance of a contract

We also have a legal basis to collect and process data on you in the performance of a contract. For example, if you purchase something from our online Smile Shop or agree to work for us, we need to be able to process your information for the purpose of meeting our contractual obligations.

Legitimate Interest

When we use our legitimate interests as the legal basis for processing your personal information, we consider and balance any potential impact on you as well as your rights under data protection laws. We would not use your personal information in a manner that would be deemed overly intrusive to you.

We will use legitimate interest as the legal basis for processing for the following for e.g.:

  • Sending postal communication we feel may be of interest to you or for administrative purposes i.e. Direct Debit confirmation letter, Gift Aid confirmation wording etc…
  • Profile and analyse supporters based on the information we hold already
  • Updating your address using third party sources if you have moved away
  • Updating mortality status of deceased supporters to prevent further communications being sent
  • Better understand how people interact with our website
  • Promoting Operation Smile United Kingdom on social media, Google, YouTube and other online platforms
  • Research or evaluating to assess beneficiaries suitable for our medical surgeries/programmes
  • Administer, review, and keep of people we work with
  • Sharing within relevant teams such as third-party event organisers

We may source contact information from trustworthy third-party data providers which may be used for marketing and awareness purposes including direct mailing. This would be processed under legitimate interest.

Vital Interests

We have a legal basis to use your personal data where it is necessary to protect life or health for example in an emergency situation or safeguarding issue which require us to contact people unexpectedly or share information with emergency services.

If your personal details change, please help us to keep your information up to date by notifying us. We make it easy for your to tell us how you want us to communicate with you. Our forms have clear marketing preference questions, and we include information on how to opt out when we send marketing information. If you don’t want to hear from us, you can change your preferences at any time using any of the options below:

Phone: 020 3475 5126

Email: info.uk@operationsmile.org

Post: Operation Smile United Kingdom, Unit A, Genoa House, Juniper Drive, London SW18 1FY

For email marketing you may amend/unsubscribe from email communications at the bottom of any email you receive. The options available to you will be update your preferences or unsubscribe from this list.

Please be aware that if you decide that you no longer want to be contacted for marketing purposes, we may still need to contact you for other purposes such as processing a donation for which you’ve made a related gift aid declaration, or keeping you in touch about volunteering activities you are undertaking for OSUK.

Storage of information is important to us as is your privacy.

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for or by law. To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements. Where we provide personal information to third parties, we have similar considerations when agreeing an appropriate retention period.

At the end of the retention period your information will either be securely and confidentially destroyed or anonymised. Anonymisation is the process of either encrypting or removing personal information from data sets, so that it is not possible to identify individuals from the data.

We will not sell, share, or rent this information to others except as in meeting our objectives through for example third party outsource contracts/data processors or to the extent as required by law. Third-party contractors/agents are expected to meet our standards and are required to abide by our policies whenever we share or transfer information as agreed.

We will endeavour to undertake privacy impact assessment whenever there is fundamental change in the way we process data, implement suitable records management systems, and log data security incidents. This will enable us to keep rigorous control of information held and your privacy.

If you wish to get in touch to discuss or exercise your rights regarding your personal data, please to get in touch with our supporter care team:

Email: info@operationsmile.org.uk (include the subject line: DATA PROTECTION)

Telephone: 020 3475 5126

Post: Operation Smile United Kingdom, Unit A, Genoa House, Juniper Drive, London, SW18 1FY

Below is a list of your rights you have under data protection laws in relation to your personal information:

Right of Access

You may have access to your personal information by contacting us with a “data subject access request”. Please be sure to state what information you wish to have access to in order for us to provide this.

Please note any request will only be adhered to once we have successfully confirmed your identity.

Right to have your inaccurate personal information corrected

You have the right to have inaccurate or incomplete information we hold about you corrected. Do contact us so we can investigate this and amend your records accordingly.

Right to Restrict Use

You have the right to ask us to restrict the processing of some or all of your personal information.

Right to Erasure

At your request we will delete your personal information from our records providing we do not have an overriding legal obligation to do so e.g. comply with any legal obligations

Right for your information to be portable

If we are processing your personal information (1) based on your consent, or in order to enter into or carry out a contract with you, and (2) the processing is being done by automated means, you may ask us to provide it to you or another service provider in a machine-readable format.

Right to Object

You have the right to object to processing of your personal information where we rely on the legitimate interest basis (or those of a third party) or where we are processing your personal information for direct marketing purposes.

You may also object to processing on a legitimate interest basis for scientific/historical research or statistics.

You have the right to make an official complaint to the UK’s Information Commissioner’s Office (ICO) if we have infringed your rights and not resolved satisfactorily. The ICO can be contacted at: https://ico.org.uk/global/contact-us/ and concerns can be also logged via the ICO website.

Further information regarding your rights can also be found via the following ICO website link: https://ico.org.uk/your-data-matters/

OSUK takes the care of your data very seriously and we use a combination of organisational and technological security measures to protect your personal information to the highest possible standards. This includes the use of secure servers, firewalls, virus & malware protection, secure socket layer (SSL) encryption and secure file transfer protocol for our work with third parties. We follow payment card industry (PCI) security compliance guidelines when processing credit card payments and ask our third -party suppliers to provide confirmation of their PCI compliance status on an annual basis.

We also have strict policies in place to use complex password structures and authentication technology to access Microsoft packages or Mailchimp for email marketing.

Further to this, our offices are alarmed and monitored by an alarm servicing company to help minimise access to offline data.

Training
Policies/Training

Staff are internally trained annually to adhere to data protection policies and procedures and are required to pass a cyber security protocol test through an external provider. They have access to all other security policies at all times including office security.

Fundraising Database

Operation Smile United Kingdom keeps personal donor information on the Raiser’s Edge NXT database which is cloud hosted by Blackbaud. Risk assessments are carried out on an ongoing basis and OSUK is satisfied that Blackbaud adheres to an extremely strict data security protocol.

Medical Volunteer Database

We keeps medical volunteer data on an internal GVMS database hosted by Microsoft Dynamics. This is cloud hosted and Microsoft adhere to extremely strict data security protocol.

PCI Compliance

We care about the safety and security of your transaction. We use high grade encryption and the https security protocol to communicate with your browser software. This method is the industry standard security protocol, which makes it extremely difficult for anyone else to intercept the card information you give us. Companies we work with to process card transactions also use high grade encryption and security protocols and are required to confirm their compliance status regularly.

OSUK is PCI Compliant and the monitoring of its web access point/ports is monitored by the IT team in Operation Smile Inc., UK consultants and/or Security Metrics Ltd. Non-compliance is immediately reported to us and we take all necessary steps to fix breaches at the earliest opportunity.

Internet

Whilst we take all the measures that we’ve listed above, unfortunately, the transmission of information using the internet is not completely secure. We will do our best to protect your personal data sent to us this way but we cannot guarantee the security of data transmitted to our site.

Data Breach

In the unlikely event that we experience a data breach, our Data Protection Officer would immediately work with our Senior Management Team and liaise with the Information Commissioner’s Office as necessary.

Cookies are small pieces of information stored by your internet browser onto your computer or mobile device. OSUK uses session cookies to ensure that you can interact with our websites successfully; to find out more about our cookies policy and usage, please click here.

Except in exceptional circumstances (as outlined in this process) requests to change donor information including changes to direct debits, standing orders or any other kind of donation, can only be authorised by the donor.

We can only take instructions from a third-party with the express consent of the donor or on evidence of the relevant power of attorney. This is to safeguard the interests of the donor with whom we have a relationship.

A request by a third-party to remove a donor from our mailing list or change mailing preferences may be considered exceptionally if we are convinced the third-party is acting in the best interests of the donor. This may be a judgement based on the donor’s history of giving, any unusual changes in the level of their giving or frequency of giving and any communication we have had with the donor regarding their gifts or mailing preferences. Any direct communication from the donor –verbal or written- which gives concern that the donor may lack capacity to make a sound decision and/or judgement could be taken as support on this. In this context our telemarketing agencies who call on our behalf in fundraising campaigns record conversations with prospective donors and where there is a concern relating to mental capacity these recordings could be used by OSUK for final decision making.

Please contact Operation Smile United Kingdom in the first instance requesting our Complaints policy and to give us a chance to resolve your complaint. Contact us on email at: info.uk@operationsmile.org or phone 0203 475 5126.

However, if you wish to make a formal complaint to the supervisory authority where you believe there has been an infringement of your rights under the GDPR, or where you are dissatisfied with our resolution, please contact the supervisory authority, Information Commissioner’s Office via their website or telephone 0303 123 1113. You may also make a complaint through the Fundraising Regulator or the Charity Commission as appropriate.

Breaches will be notified to the Information Commissions Office (ICO) as per regulations.

You may request a full copy of our complaints policy at any time.

Where it is necessary for Operation Smile United Kingdom to transfer your information outside non-EU countries and to third party agents within UK as disclosed in our purpose for collection, we will ensure that your information is protected to the same extent as in the European Union through one of the following safeguards:

  • Transfer to a non-EU country whose privacy legislation that ensures an adequate level of protection of personal data as determined by the European Commission; or
  • Put in place a contract with the service provider/fundraising agent stipulating that they must protect personal data to the same standards required by the European Union and the United Kingdom.

And using a safe and secure transfer process including encryption where necessary.

Staff are encouraged to use computerised equipment and software provided by OSUK. Virtual logins will be password protected and where possible encourage a two-stage authentication process.

Operation Smile United Kingdom is part of the worldwide alliance that is Operation Smile Inc. (OSI) with other partners and foundations. We collaborate and fundraise to deliver the global strategic objective of delivering care, cleft surgery, and other surgical programmes.

We may therefore disclose your information to third parties in connection with the other purposes set out in this policy. These third parties may include:

  • charity partners, suppliers and sub-contractors who may process information on our behalf
  • evaluators and researchers who may monitor and evaluate information to prove or improve the quality of a service, project, or programme
  • if you are a researcher or medical volunteer, any external programme collaborator
  • if you are a legacy giver, we may share information with co-beneficiaries
  • advertisers and advertising networks
  • analytics and search engine providers
  • IT service providers
  • Potential beneficiaries or funders of our programmes, who may be interested in your positive experiences

Whenever appropriate such information is anonymised and aggregated, so that no individual can be identified except where consent has been given.

Where our collaborators run their operations outside the European Economic Area (EEA), we will take steps to make sure they provide an adequate level of protection in accordance with UK data protection law, and appropriate safeguards are in place.

Where we are under a legal or regulatory duty to do so, we may disclose your details to the police, regulatory bodies or legal advisors, and/or, where we consider this necessary, to protect the rights, property or safety of Operation Smile United Kingdom, its personnel, visitors, users or others.

We reserve the right to disclose your personal information to third parties in the event of OSUK winding up.

We are particularly respectful of the privacy of our young supporters. With regards to the use of the internet we encourage parents/guardians to monitor their children’s internet activities and help us protect their privacy by instructing them never to provide personal information on this or any other site without permission. We will in all circumstances try only to gather necessary information required to undertake our objective.

We have strict policies with regards to our marketing/email communication. We will not knowingly mail or email anyone under the age of 18 with any marketing related content. Communications to under 18s will be limited, and if related to fundraising will be in accordance with that as agreed with the minor and his/her legal guardian. If you are under 18 and wish to fundraise for Operation Smile United Kingdom, please ensure that you have consent from a parent or guardian before giving us your personal information.

If you have any questions about our Privacy Policy or queries on how we use or have used your information, please contact the Data Protection Officer:

By Post:

Operation Smile United Kingdom
Unit A, Genoa House
Juniper Drive
London SW18 1FY

By Phone

020 3475 5126

By Email

Email: info.uk@operationsmile.org with the subject/reference: DATA PROTECTION

We are committed to protecting vulnerable people and adhere to the following:

  • Listening to call recordings from data processors to ensure that individuals whom we believe, based on the conversation, do not have the mental capacity to make sound decisions on donating to OSUK have their gift cancelled or not processed.
  • Noting references in correspondence e.g. being forgetful, family concerns about their charitable spend or simply their handwriting and responding appropriately to these issues.
  • Taking on board concerns from third parties and generally being aware of mental capacity.

You may request a full copy of OSUK’s Child Protection Policy, which covers all vulnerable people, at any time by post, phone or via email.

Independent external and internal audits are conducted to ensure the privacy, security, and appropriate processing of your information by us.

All material on webpages under the domain operationsmile.org or operationsmile.org.uk is, unless otherwise stated, is the property of Operation Smile Inc. and or OSUK. These materials are protected by copyright and other intellectual property laws. Information received through this website may be displayed, reformatted, and printed for your personal, non-commercial use only. You may not reproduce or retransmit the materials, in whole or in part, in any manner, without the prior written consent of Operation Smile, with the following exception only: You may make single copies of the materials available through this website, solely for your personal, non-commercial use, and only if you preserve any copyright or other notices contained in or associated with them. You may not distribute such copies to others, whether in electronic form, whether or not for a charge or other consideration, without prior written consent of the owner of the materials.

Our website and microsites may contain links to other sites. Unless we expressly state otherwise, Operation Smile makes no representations whatsoever concerning the content of those sites. The fact that Operation Smile has provided a link to a site is not an endorsement, authorisation, sponsorship, or affiliation with respect to such site, its owners, or its providers. There are risks associated with using any information, software, or products found on the Internet, and Operation Smile cautions you to make sure that you understand these risks before retrieving, using, relying upon, or purchasing anything via the Internet. In addition, we encourage our users to read privacy and cookies policies of these linked sites. OSUK is not responsible for the privacy practices of other websites.

You may not create a link to this site that incorporates or relies upon, in whole or in part, any content from any page on this website, or that incorporates any copyright or otherwise intellectual property of Operation Smile without written permission from Operation Smile.

It is important to us at Operation Smile United Kingdom that we hear what you have to say about our organisation or our policies. If you have any suggestions, questions, concerns, or complaints or want to let us know what they think about our organisation, please contact us at 020 3475 5126 or email info@operationsmile.org.uk.

This policy will be reviewed periodically and may be changed/updated to reflect the review. Please ensure that you stay up to date by visiting our website and checking.

Last (fully) Reviewed: August 2017

Review Date: October 2020.

Download our Privacy Policy here