In this notice “we” or “us” refers to Action on Smoking and Health (ASH) Wales, a charity registered under number 1120834 and a company limited by guarantee (company number 6030302).

You have the right to ask for a copy of the personal information we hold about you under the Data Protection Act 1998. We may charge you a small fee for this. Please contact us at the address above, by phoning 029 2049 0621 or e-mailing enquiries@ashwales.org.uk

This policy describes how we collect information, the type of personal and confidential information we collect and what we will use that information for. This policy covers our website, our e-mail correspondences and our social media channels and includes, but not is not exclusive to, Choose Smokefree. This policy governs the privacy of users of the aforementioned and users are bound by these terms.

We reserve the right to amend, vary and/or to withdraw this policy and it can be amended at any date, without notice.

This policy tells you what to expect when ASH Wales collects personal information. It applies to information we collect about:

• Website users
• Newsletter subscribers
• Attendees at our events
• People who contact us
• People who contact us either in person, by mail, or by phone

ASH Wales will only use information collected about individuals in the manner set out in this policy. We are committed to protecting personal and confidential information. This policy adheres to the EU General Data Protection Regulation (GDPR) regulations 2016.

For the purposes of the Data Protection Act 1998, we are the data controller of your personal information. We reserve the right to amend, vary and/or to withdraw this Policy from time to time. In the event of any changes we will be responsible for determining the appropriate form that such notification should take.

Collection of personal and confidential information

Personal information is any information about an individual from which they can be identified, such as name, address, and email address. Confidential information would be information provided on the understanding that it will not be shared more widely or for purposes other than agreed.

ASH Wales Cymru will collect personal and confidential information provided by individuals when they agree to provide this. For example: making a donation, participating in an interview or completing a survey, entering a competition on our social media pages, when booking a place for an event or contacting the charity for other purposes by mail, e-mail, phone or via the website.

We may receive and store information automatically when you interact with us online, such as your IP address, browser type and whether you’re looking at our site on a mobile device or not. As with most websites, ASH Wales uses cookies to improve our website and user experiences.

Personal and confidential information may be supplied by individuals themselves or by third-party partners involved in joint initiatives with ASH Wales. Where the information is supplied by a third party, ASH Wales Cymru will ensure that express consent is given to share this information with the charity and that individuals are aware of how the information will be managed and used.

Use of personal and confidential information

ASH Wales will use the personal and confidential information provided by individuals for the following purposes:

• If they wish to attend an event to enable the management and administration of the booking
• If they wish to obtain a product or service (free or fee-paying) for the purpose of processing the order
• If they participate in an interview, complete a survey or are otherwise involved in providing research information, for the purpose of collating, reporting and analysing the results of research
• If they make a donation or other payment, for the purpose of processing the donation or payment
• For any purpose which reasonably arises out of or in connection with the individual accessing the services of ASH Wales
• If the charity needs to notify individuals about important changes or developments in ASH Wales, such as via the newsletter
• On occasion, to verify the personal and/or confidential information already supplied to ensure it is up to date and accurate. We reserve the right to request additional personal and/or confidential information from individuals in order to undertake checks (generally with respect to financial transactions) using appropriate third parties for this purpose. In such cases, we will obtain expressed consent to do this from the individual
• To contact individuals by post, phone or e-mail to promote the aims and objectives of the charity. Individuals may choose not to be contacted in this way for these purposes by e-mailing enquiries@ashwales.org.uk
• To contact individuals by post or email to promote our aims and objectives, to request donations, to provide details of our and/or third parties’ products and services which we think may be of interest to you and to ask you to complete questionnaires and surveys. You can choose not to be contacted in this way for these purposes by writing to ASH Wales Cymru

Disclosure of personal information

We will not sell or hire the personal information we collect about individuals to any third parties. We do, however, reserve the right to disclose personal information in limited circumstances to certain third parties as follows:

• To any sub-contractors we may engage to assist us in carrying out activities and services on behalf of the charity (e.g. researchers,) where those sub-contractors must abide by ASH Wales’s own Data Protection requirements and Privacy Policy.
• To sub-contracted event providers to enable the administration and management of the event, where those sub-contractors must abide by ASH Wales’s own Data Protection requirements and Privacy Policy.
• To the individual’s bank or building society and third parties who process donations and payments on our behalf.
• To appropriate third parties for the purposes of verifying your personal information and/or creditworthiness (with respect to a donation or other financial transaction.)
• Where disclosure is necessary (i) in response to a FOI, court order or government request or request by any other appropriate authority; (ii) for the purposes of taking legal action to establish or exercise our legal rights or defend legal claims against us; (iii) to investigate, prevent and/or take other action in connection with possible illegal activities, suspected fraud and/or situations involving potential threats to the physical safety of any persons; (iv) actual or suspected violations of the charity’s data protection policies; or (v) as otherwise required and/or permitted by law or regulation;
• We may also pass aggregate information on the usage of the ASH Wales website, participation in events, results of research studies, etc. to third parties but this will not include information that can be used to identify individuals (i.e. will be anonymous).

Disclosure of confidential information

We reserve the right to disclose your confidential information only in the following circumstances:

• To your bank or credit/debit card provider for the purpose of obtaining donations or payments
• To appropriate third party organisations who process credit/debit card payments on behalf of the charity
• Aggregate information resulting from participation in events or research studies, but this will not include information that can be used to identify individuals

Security and accuracy of personal and confidential information & data retention

ASH Wales has organisational measures in place designed to protect the personal and confidential information of individuals. We will use all reasonable measures to protect information from alteration, loss or misuse. We will retain personal and confidential information from individuals for a reasonable period and for so long as the law requires.

All information provided about individuals is stored securely. The charity will not be responsible for any personal information disclosed to third parties that does not offer a secure way to transmit information to the charity (e.g. email).

Although the greatest care is taken with user information, we cannot guarantee that any data transfer is 100% secure and cannot guarantee the security of any information you transmit. You transfer data at your own risk. Please be aware that email and other electronic communications are not secure if they are not encrypted, and that your communications may pass through servers in several countries before it reaches us. We cannot accept responsibility for any unauthorised access or loss of personal data that stems from a cause beyond our control, and we cannot be held responsible for the actions or omissions of third parties who may misuse your personal data if it is unlawfully collected from this site.

All information provided about individuals in printed format will be stored in locked filing systems and be available only to staff who require access to this information in order to undertake their work (e.g. event management, research studies, etc.).

All staff of the charity are bound by the organisation’s policy on Confidentiality and breach of this policy or others related to information management and data protection could constitute a disciplinary offence.

Manual destruction of files, records and computer printouts containing sensitive data and confidential information will be carried out in a secure manner (e.g. security shredding). Personal and confidential information provided by electronic means will be deleted from the charity’s systems on a regular basis.

Our registered address

14 Hollybush Rise, Cardiff, Wales, CF23 6TG. 029 2049 0621