Our Privacy Policy

‘the difference’ is NHS Borders’ official charity. Our mission is to enhance patient care in the Borders by providing ‘added extras’ that are over and above that which is provided by the NHS. ‘the difference’ is the legally known-as name for Borders Health Board Endowment Funds and is a registered charity, no. SC008225.

We are committed to ensuring that your privacy is protected. When we collect personal information about you, we promise to keep this information safe.

The information you share with us shapes and guides our future activities, such as events and appeals, and allows us to provide the greatest benefit to patients and staff of NHS Borders.

We make our best efforts to ensure all of our communications include information that is of interest to you, that you are kept abreast of projects that have been made possible, our future plans and fundraising activities, and that we contact you through your preferred channel(s): email, post or phone.

In accordance with the provisions of General Data Protection Regulations (GDPR) and the UK Data Protection Act 2018, this privacy statement sets out how we collect and use personal information and why it is important in enabling us to fulfil our charitable objectives.

What personal information do we collect?

Personal information is any information that could be used to identify you. The type and quantity of information we collect and how we use it depends on why you are providing it.

This includes information such as:

· Name

· Email address

· Postal address

· Telephone number

When you make a donation, it may include financial information such as credit card or debit card details.

Sometimes, you may share with us your reasons for supporting our charity and/or information relating to your health, such as the experience you, or someone close to you, have/has had in hospital.

Data protection law recognises that certain categories of personal information such as health information, political opinion, religious beliefs or racial or ethnic origin, are more sensitive. These categories are referred to as 'Special Category Data'.

As an NHS charity, many of our supporters' reasons for giving are related to their own experience, or the experience of someone they love, in our hospitals. Under data protection law, any personal information relating to your health is defined as 'Special Category Data'. If you choose to share that information with us, including through post, email, social media, or online giving pages, we will record it as part of our relationship with you, so we can fully understand the context of your relationship with us.

We would never use this information for anything else. We have no access to NHS records.

If we use your image in any media, including social media, newspapers and internal communications, we will seek explicit consent to use it. At any point you can withdraw your consent, however, once it has been reproduced, ‘the difference’ has no control over where it is circulated.

We also store an archive of media material in hard copy, to highlight the charity's activities and achievements over its history.

We will always seek your consent to contact you via email, telephone, text/SMS for marketing or fundraising purposes. You can change your contact preferences at any time. Our forms also have clear e-marketing preference questions and we will always include information on how to opt out if/when we send you marketing.

Do we collect any personal information about children?

We are fortunate to have many supporters who are under the age of 18. If a child chooses to fundraise for us, take part in an event or make a donation, we do collect personal information but manage it in a way that is appropriate to the age of the child.

Where possible and appropriate we will seek consent from a parent or guardian before collecting information about children.

Some events have specific rules about whether children can participate, and we'll make sure advertising for those events is age-appropriate.

Where do we collect your information from?

When you make a donation, take part in one of our fundraising activities or want to find out more about our work, we collect some of this personal information from you.

Some of this personal information you share with us directly, by email, post or phone.

Sometimes, we may also obtain personal information about you from other sources, particularly if someone contacts us on your behalf, such as if you are taking part in a fundraising activity as part of a team, or if you are introduced to the charity by a friend or family member.

On other occasions, this information is shared with us through a third party - for instance an event provider or an online giving platform. These independent third parties will only do so when you have indicated that you wish to support ‘the difference.’ This information is shared either because it is necessary (we cannot provide our service without it) or because you have given the third party permission to do so.

Depending on your settings or the privacy policies for social media services like Facebook, Twitter, etc., you might give us permission to access information from those accounts or services.

The information we get from other organisations may depend on your privacy settings or the responses you give, so we suggest you regularly check them.

Cookie Policy

This Cookie Policy explains what cookies are and how we use them, the types of cookies we use i.e, the information we collect using cookies and how that information is used, and how to control the cookie preferences. For further information on how we use, store, and keep your personal data secure, see our Privacy Policy.

What are Cookies?

Cookies are text files containing small amounts of information which are downloaded to your device when you visit a website. Cookies are then sent back to the originating website on each subsequent visit, or to another website that recognises that cookie. Cookies are useful because they allow a website to recognise a user’s device.

Our website places cookies on your browser to help the site run effectively, provide you with the best experience and help us learn more about how you use our site.

Functional and Required Cookies

algoliasearch-client-js

· Adds auto-populated suggestions to address fields in Scheduling to help clients complete forms faster

· localstorage

· Persistent

Crumb

· Prevents cross-site request forgery (CSRF)

· Cookie

· Session

RecentRedirect

· Prevents redirect loops if a site has custom URL redirects. Redirect loops are bad for SEO.

· Cookie

· 30 minutes

squarespace-announcement-bar

· Prevents the announcement bar from displaying if a visitor dismisses it

· localstorage

· Persistent

squarespace-likes

· Shows when you've already "liked" a blog post

· localstorage

· Persistent

squarespace-popup-overlay

· Prevents the promotional pop-up from displaying if a visitor dismisses it

· localstorage

· Persistent

squarespace-video-player-options

· Remembers video player selected preferences ( volume, playback speed, and quality) for videos uploaded directly to Squarespace

· localstorage

· Persistent

ss_cookieAllowed

· Remembers if a visitor agreed to placing analytics cookies on their browser if a site is restricting the placement of cookies

· Cookie

· 30 days

Test

· Investigates if the browser supports cookies and prevents errors

· Cookie

· Session

Optional cookies are used to provide information on how you use our site. You can opt out of these using our cookies banner when you visit our site or through your browser settings. If you chose to restrict or block any cookies, this may result in certain features of the website not being provided and you may not be able to take full advantage of the websites features and functionality.

More information about cookies, including how to block them or delete them, can be found at AboutCookies.org

We may also use publicly available sources to carry out due diligence on donors or potential donors to meet money laundering and other regulations.

What do we do with the personal information we hold?

We use your personal data to:

support you as a donor - to process your donation, thank you for your gift, sign you up to an event, or register you as a volunteer
fulfil our legal obligations in meeting our audit and internal administrative requirements
where appropriate, claim Gift Aid on your donation
keep a record of your relationship with us, to ensure we understand your personal interests and wishes in interactions with you
ensure that our charity is meeting the needs and wishes of our supporters in providing the greatest benefit to patients and staff across NHS Borders by being an effective and efficient organisation
send you communications about our work and the difference your donations and fundraising make, as well as future appeals

We may also use publicly available sources to carry out due diligence on donors or potential donors to meet money laundering and other regulations.

How do we keep your personal information?

Your personal details are retained on our database Beacon CRM. Beacon employs extensive security measures for securing Personal Data, including encryption, password security, firewalls, and two-factor authentication..

Debit and Credit Card Payments

‘the difference’ uses Stripe as an online payments provider. When you make a payment over the phone, you will need to provide your card details to the member of our staff who processes your payment. They will enter your card details into the website and submit the transaction for processing, after which they will not have access to your card details.

When making a payment or donation via our website, information you enter is secured via HTTPS and any credit card information is directly passed to Stripe. Full credit/debit card details are never passed to, or stored by ‘the difference’.

Stripe returns non-sensitive card information in the response to a charge request. This includes the card type, the last four digits of the card, and the expiration date, which is stored in our log files and an essential part of providing the service.

Stripe has been audited by an independent PCI Qualified Security Assessor (QSA) and is certified as a PCI Level 1 Service Provider. This is the most stringent level of certification available in the payments industry.

All payments made to us through our website or over the phone are subject to Stripe’s own privacy policy, which can be viewed here.

We strongly discourage you from sharing your credit or debit card details in any written form, including by e-mail. Please note that should you choose to share your card details with us in this way, we cannot accept liability for its interception and misuse by third parties.

How we protect personal information

We take care to ensure your personal information is only accessible to authorised people. Our staff members have a legal and contractual duty to keep information secure, and confidential.

The following security measures are in place to protect personal information:

· All staff undertake mandatory training in Data Protection and IT Security

· Compliance with NHS Scotland Information Security Policy

· Organisational policy and procedures on the safe handling of personal information

· Access controls and audits of electronic systems

How long we keep your personal information

We will store your personal information for as long as is reasonably necessary for the purposes set out in this policy, taking into account relevant legal and regulatory retention requirements (e.g. tax or health and safety requirements) and operational considerations.

Who we share your personal information with

We will not share your data with any third parties unless you have consented for us to do so, for example if you register for an event. Where this is the case we will share the relevant privacy notice with you and secure your consent to do so.

We may however disclose or share your personal data if we are so required to do in order to comply with our legal obligations or for the purposes of fraud prevention.

What happens if you request or ask us to stop processing your personal data?

You can request to withdraw your consent at any time by emailing thedifference@borders.scot.nhs.uk or by calling 01896 825520. You will receive notification of this request by email or letter.

You are able to opt out of our newsletters and updates at any time by selecting unsubscribe at the bottom of the email.

If you ask not to receive any marketing or fundraising communications from us, please be aware that your personal information may still retained and marked to prevent you from receiving any communications and to allow us to have our work independently audited.

You have a right to ask us to remove your personal information, and if it’s not necessary for the purpose you provided it to us for, we will do so. In doing so, we will be unable to guarantee that you will not receive communications in the future, because we will have deleted your data and will therefore have no record of past requests from you.

If you want to guarantee that you will not receive communications from us, it is in your best interest for your data to be retained on our system so that your contact preference is recorded and adhered to.

We do not have any access to your medical records. We will not sell or lease your personal information to third parties. We will not share your information with a third party for their own purposes unless required by law to do so.

You may request details of personal information which we hold about you under Data Protection Law. You may contact us at thedifference@borders.scot.nhs.uk to request this information.

We appreciate your support and aim to ensure that your privacy is treated with respect at all times, in compliance with the current Data Protection Laws

The lawful basis for collecting your data

The Charity uses any one of the following lawful basis for processing your personal information:

a) You have consented to us processing your data

b) There is a contractual relationship with you

c) We are legally obliged to process your data

d) We believe it’s in the legitimate interest of either you as the data subject, or us as the Charity, to process your data. Legitimate interest can be used where there is a reasonable purpose to process an individual’s data. For more information on legitimate interest, please see the ICO’s website or contact us

Your rights

By law you have a number of rights when it comes to your personal information.

The right to be informed

You have the right to be provided with clear, transparent and easily understandable information about how we use your personal data and your rights.

The right of access

You have the right to obtain access to your personal data that we are processing and certain other information.

The right to rectification

You are entitled to have your personal data corrected if it is inaccurate or incomplete. Please inform us of any data which you would like rectified and we will usually respond within a month of the request.

The right to erasure

This is also known as ‘the right to be forgotten’ and enables you to request the deletion or removal of your personal data where there’s no compelling reason for us to keep using it. This is not a general right to erasure; there are exceptions but where possible we will comply with your request.

The right to restrict processing

You have rights to ‘block’ or suppress further use of your personal data. When processing is restricted, we can still store your personal data, but may not use it further. We keep lists of people who have asked for further use of their personal data to be ‘blocked’ to make sure the restriction is respected in future.

The right to data portability

You have rights to obtain and reuse your personal data for your own purposes across different services. We will do our best to provide the information in an easy to read format.

The right to object to processing

You have the right to object to ask us to stop processing your data however this may prevent us from fulfilling our contract with you.

The right to lodge a complaint

You have the right to lodge a complaint about the way we handle or process your personal data with a supervisory authority. The supervisory authority for the UK is the Information Commissioner.

The right to withdraw consent

If you have given your consent to anything we do with your personal data, you have the right to withdraw your consent at any time (although if you do so, it does not mean that anything we have done with your personal data with your consent up to that point is unlawful).

If you would like to exercise any of the rights set out above, please contact us at thedifference@borders.scot.nhs.uk or write to: The Difference, Fundraising Office, Education Centre, BGH, Melrose, TD6 9BS

If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office (ICO) www.ico.org.uk

Contacting Us

Please do not hesitate to contact us any matter relating to this Privacy Statement.

General Enquiries – thedifference@borders.scot.nhs.uk

Complaints – thedifference@borders.scot.nhs.uk

At any time, you can request to change your contact preferences by contacting us at:

The Difference

Fundraising Office

Education Centre

Borders General Hospital

Melrose TD6 9BD

Changes to our Privacy Policy

We reserve the right to change this statement and will update the information on this page accordingly. Any significant changes will be highlighted on our website or we may contact you directly.

This policy was last updated in September 2023.