Privacy notice
The National Autistic Society
This privacy notice applies to anyone who interacts with us regarding our products, services and schools by any method, (such as website, phone, email). We may, on occasion, provide further privacy information for specific contact methods or in relation to specific products or services.
If you have any questions about this, please contact us at dataprotection@nas.org.uk.
The National Autistic Society is registered with the Information Commissioner’s Office under the following registration number: Z7503397
Contacting our Data Protection Officer
Data Protection Officer
National Autistic Society
2nd Floor
Weston House
42 Curtain Road
London
EC2A 3NH
Email: dataprotection@nas.org.uk
-
We collect personal information from you when you:- submit a form, register with our website, make a purchase, make a donation, or otherwise provide us with personal information, whether online, email, on the phone or via post.
We may also collect information from other people and organisations.
For all our customers, we may collect information from:
- your parent/guardian, if you are under 18 years old
- a family member, advocate or someone else acting on your behalf
- doctors, other clinicians and health-care professionals
- local authorities
- third party organisations who carry out surveys or market research on our behalf.
-
Standard personal information includes:- contact information, such as your name, username, address, email address and phone numbers
- the country you live in, your age, your date of birth and national identifiers (such as your National Insurance number or passport number)
- information about your employment
- details of any contact we have had with you, such as any complaints or incidents
- financial details, such as details about your payments and your bank details
- the results of any credit or any anti-fraud checks we have made on you
- information about how you use our products and services
- information about how you use our website, apps or other technology, including IP addresses or other device information (please see our Cookies policy for more details).
Special category information includes:
- information about your physical or mental health, including genetic information or biometric information, information about your race, ethnic origin and religion (we may get this information from your medical or care home preferences to allow us to provide support and services that are tailored to your needs).
-
We process your personal information for the purposes set out in this privacy notice. We have also set out some legal reasons why we may process your personal information (these depend on what category of personal information we are processing). We normally process standard personal information if this is necessary to provide the services set out in a contract, it is in our or a third party’s legitimate interests or it is required or allowed by any law that applies. Please see below for more information about this and the reasons why we may need to process special category information.By law, we must have a lawful reason for processing your personal information. We process standard personal information about you if this is:
- necessary to provide the services set out in a contract − that is, to provide you and your dependants with our products, support, services and education
- in our, or a third party’s, legitimate interests − details of those legitimate interests are set out in more detail in the ‘Legitimate interest’ section below; or
- required or allowed by law.
We process special category information about you because:
- it is necessary for the purposes of providing support, (for example, medical diagnosis, to provide health or social care or treatment, or to manage health care or social care systems)
- it is necessary for an insurance purpose (for example, advising on, arranging, providing or managing an insurance contract, dealing with a claim made under an insurance contract, or relating to rights and responsibilities arising in connection with an insurance contract or law)
- it is necessary to establish, make or defend legal claims (for example, claims against us for insurance)
- it is necessary for a purpose designed to protect the public against dishonesty, malpractice or other seriously improper behaviour (for example, investigations in response to a safeguarding concern, a member’s complaint or a regulator, such as the Care Quality Commission or the Information Commissioners Office, telling us about an issue)
- it is in the public interest, in line with any laws that apply
- it is information that you have made public; or
- we have your permission. As is best practice, we will only ask you for permission to process your personal information if there is no other legal reason to process it. If we need to ask for your permission, we will make it clear that this is what we are asking for and ask you to confirm your choice to give us that permission. If we cannot provide a product or service without your permission (for example, we cannot manage and run a service without health information), we will make this clear when we ask for your permission. If you later withdraw your permission, we will no longer be able to provide you with a product or service that relies on having your permission.
We may process information about your criminal convictions and offences (if any) as a result of anti-fraud and anti-money-laundering checks or to check other unlawful behaviour or carry out investigations with other insurers and third parties for the purpose of detecting fraud. We do this if it is necessary to prevent or detect a crime.
-
We process your personal information for a number of legitimate interests, including managing all aspects of our relationship with you, for marketing, to help us improve our services and products and in order to exercise our rights. More detailed information about our legitimate interests is set out below.Taking into account your interests, rights and freedoms, legitimate interests which allow us to process your personal information include:
- to manage our relationship with you, our business and third parties who provide products or services for us
- to provide services on behalf of a third party (for example, a local authority)
- to make sure that complaints are investigated and handled efficiently
- to keep our records up to date and to provide you with marketing as allowed by law
- to develop and carry out marketing activities and to show you information that is of interest to you, based on our understanding of your preferences
- for statistical research and analysis so that we can monitor and improve products, services and websites
- for use in the development of a historical record of the Society
- to contact you about market research we are carrying out
- to monitor how well we are meeting our performance expectations
- to enforce or apply our website terms of use, our notice terms and conditions or other contracts, or to protect our (or our customers’ or other people’s) rights, property or safety
- to exercise our rights, to defend ourselves from claims and to keep to laws and regulations that apply to us and the third parties we work with
- to take part in, or be the subject of, any sale, purchase, merger or takeover of all or part of the Society.
-
We may use your personal information to send you marketing by post, by phone, through social media, by email and by text.
We can only use your personal information to send you marketing material if we have your permission or a legitimate interest as described above.If you do not want to receive emails from us, you can click on the ‘unsubscribe’ link that appears in all emails we send. If you do not want to receive texts from us you can tell us by contacting us at any time. Otherwise, you can always contact our Support Care team to update your preferences.
Supporter Care
Data Protection Officer
National Autistic Society
2nd Floor
Weston House
42 Curtain Road
London
EC2A 3NHEmail: supportercare@nas.org.uk
Phone: 0808 800 1050You have the right to object to direct marketing and profiling (the automated processing of your information to help us evaluate certain things about you, for example, your personal preferences and your interests) relating to direct marketing. Please see the section about Your rights below for more details.
-
We advertise on Facebook, X, Instagram, and Google as well as some other websites.There are various ways we target our advertising online so it reaches the right people:
- Advertising to people signed up with an online platform (such as Facebook or Google) based on what the platform knows about them, for example, we may ask Facebook to show a particular advert to people interested in cycling living around Glasgow. We use this method to promote general awareness of our work and fundraising. We do not target individuals based upon any special category personal data (such as health data).
- 'Look-alike' / 'Similar' audiences: we send a list of 'hashed' email addresses to an online platform such as Facebook or Google (hashing means the information is turned into a code to make it secure). The online platform matches these hashed email addresses to existing users, and then creates a group of people with similar characteristics and present our advertising to them.
- 'Custom audiences': we use a similar method to send information and support about our campaigns and activities to people who have given their consent to allow us to do so. We may also do this on a legitimate interest basis. We send a list of hashed email addresses of persons who have shown interest in an activity or campaign, to the online platform, and the online platform then matches these email addresses to users. For example, if you signed up to a trek event, you might see event information when you are logged in to a relevant online platform.
- Cookie based advertising: advertising cookies (and similar technologies such as tags) can track your activity online. We have advertising cookies on our websites: when you visit, you will be offered the option to accept or refuse these. If you accept them, these cookies will record information about how you interact with our websites and this information will then be used to serve you with relevant adverts on other sitesm such as Facebook, based on the content that you have clicked on or interacted with. If you click to accept cookies for advertising, the information stored in these cookies may also be used to: create a 'lookalike' or 'similar audience' of people with similar interests and characteristics to the group of people who clicked on the same thing; or to send a remarketing message to you about the same thing you clicked on before. This helps us to ensure that our digital advertising campaigns are as cost-effective as possible. We do not use cookie information from more sensitive areas of our site such as advice and guidance, our online community, social care services or schools to target people in this way.
- Advertising to people signed up with an online platform (such as Facebook or Google) based on what the platform knows about them, for example, we may ask Facebook to show a particular advert to people interested in cycling living around Glasgow. We use this method to promote general awareness of our work and fundraising. We do not target individuals based upon any special category personal data (such as health data).
-
We share your information within The National Autistic Society, with people acting on your behalf (for example, parents, guardians or advocates) and with others who help us provide services to you (for example, health care providers and medical assistance providers) or who we need information from to allow us to handle or confirm care plans or support needs (for example, professional associations). We also share your information in line with the law. For more information about who we share your information with, please see below.We sometimes need to share your information with other people or organisations for the purposes set out in this privacy notice. The exact information we share depends on the reason we are sharing it. For example, if we need to share information in order to provide health care, we will share special categories of information, such as medical details, with the treatment provider.
For all our customers, we may share your information with:
- other members of The National Autistic Society, in order to provide our products and services to you
- doctors, clinicians and other health care professionals, hospitals, clinics and other health care providers so that they can provide treatment so that they can provide treatment and we can monitor the quality of your treatment and care
- people or organisations we have to, or are allowed to, share your personal information with by law (for example, for fraud prevention or safeguarding purposes, including with the Care Quality Commission)
- the police and other law-enforcement agencies to help them perform their duties, or with others if we have to do this by law or under a court order
- organisations that carry out surveys on our behalf
- if we sell or buy any business or assets, the potential buyer or seller of that business or those assets
- a third party who takes over any or all of The National Autistic Society assets (in which case personal information we hold about our customers or visitors to the website may be one of the assets the third party takes over).
If we provide residential services, assisted living services, child services, or education, we may share your information with:
- our insurance partners (for example, brokers, reinsurers, actuaries, auditors, solicitors, translators and interpreters, tax advisers, debt collection agencies, credit reference agencies, fraud detection agencies, regulators, data protection supervisory authorities
- those paying for the products or services we provide to you, including insurers, public sector commissioners and embassies)
- those providing your treatment and other benefits.
If we share your personal information, we will make sure appropriate protection is in place to protect your personal information in line with data protection laws.
-
We may use your data to conduct research and statistical analysis. If we use this information it will be in an anonymised format (with all names and other identifying information removed) or information that is combined with other people’s information, or may be shared with others, for research or statistical purposes. You cannot be identified from this information and we will only share the information in line with legal agreements which set out an agreed, limited purpose and prevent the information being used for commercial gain.
-
Some companies that we work in partnership with or that provide services to us are located in, or run their services from, countries across the world. As a result, we may transfer your personal information to many different countries. This may include transferring information outside the UK.We take steps to make sure that, when we transfer your personal information to another country, appropriate protection is in place, in line with global data protection laws. Certain countries are considered to provide an adequate level of protection because of the data protection laws in place in those countries. If this is not the case, the protection may be set out under our contract with the organisation who receives the information.
-
We keep your personal information in line with set periods calculated using the following criteria:- How long you have had a relationship with us, the types of products or services you have with us, and when you will no longer require our help or advice
- How long it is reasonable to keep records to show we have met the obligations we have to you and by law
- Any time limits for making a claim
- Any periods for keeping information which are set by law or recommended by regulators, professional bodies or associations
- Any relevant proceedings that apply.
If you would like more information about how long we will keep your information for, please email us at dataprotection@nas.org.uk.
-
You have the right to access your information and to ask us to correct any mistakes and delete and restrict the use of your information. You also have the right to object to us using your information, to ask us to transfer information you have provided, to withdraw permission you have given us to use your information and to ask us not to use automated decision-making which will affect you. For more information, see below.- Right of access: you have the right to make a request for details of your personal information and a copy of that personal information.
- Right to rectification: you have the right to have inaccurate information about you corrected or removed.
- Right to erasure (‘right to be forgotten’): you have the right to have certain personal information about you deleted from our records.
- Right to restriction of processing: you have the right to ask us to use your personal information for restricted purposes only
- Right to object: you have the right to object to us processing (including profiling) your personal information in cases where our processing is based on a task carried out in the public interest or where we have let you know it is necessary to process your information for our or a third party’s legitimate interests. You can object to us using your information for direct marketing and profiling purposes in relation to direct marketing.
- Right to data portability: you have the right to ask us to transfer the personal information you have given us to you or to someone else in a format that can be read by computer.
- Right to withdraw consent: you have the right to withdraw any permission you have given us to handle your personal information. If you withdraw your permission, this will not affect the lawfulness of how we used your personal information before you withdrew permission, and we will let you know if we will no longer be able to provide you with your chosen product or service.
- Right in relation to automated decisions: you have the right not to have a decision which produces legal effects which concern you or which have a significant effect on you based only on automated processing, unless this is necessary for entering into a contract with you, it is authorised by law or you have given your permission for this. We will let you know if we make automated decisions, our legal reasons for doing this and the rights you have.
Please note: other than your right to object to us using your information for direct marketing (and profiling for the purposes of direct marketing), your rights are not absolute. This means they do not always apply in all cases, and we will let you know in our correspondence with you how we will be able to meet your request relating to your rights.
If you make a request, we will ask you to confirm your identity if we need to, and to provide information that helps us to understand your request better. We have 21 days to respond to requests relating to automated decisions. For all other requests we have one month from receiving your request to tell you what action we have taken.
In order to exercise your rights, please email us at dataprotection@nas.org.uk.
-
You can always make a complaint if you are unhappy with the way we have used your data by contacting us at Your.Views@nas.org.uk.You can also complain to the ICO if you are either unhappy with how we responded to your complaint or with how we have used your data.
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AFHelpline number: 0303 123 1113
Changes to this privacy notice
We reserve the right to amend this privacy notice so please do check back from time to time. If we do so, we will post notice of the change on our website and make every effort to inform you of any material changes to the notice. This notice will have been provided to you – either in full or via hyperlink – at the time your data was submitted to us.
Last updated: 30 January 2024