DSUK is dedicated to obtaining, handling, processing, transporting, and storing all such personal data, whether held on computer, or paper, lawfully and correctly, in accordance with the safeguards contained in the UK GDPR Act 2016 and the Data Protection Act 2018. This policy applies to anyone who has access to and/or is a user of DSUK’s ICT systems, including staff, trustees, volunteers, parents / carers, contractors, and other community users.
DSUK undertakes to obtain and process personal data and data captured from the public domain fairly and lawfully. DSUK will do this by informing all personal data subjects of the reasons for data collection, the purposes for which data is held, the likely recipients of the data and the data subjects’ right of access. Information about the use of personal data is printed on the appropriate collection form, or in our Privacy Notices. If details are given verbally, the person collecting the data will explain the issues before collecting the information. Subjects whose data has been captured from the public domain are given the opportunity to request their data be removed from DSUK database.
Terms used in the Policy
- Processing, obtaining, recording, or holding the information or data or carrying out a set of operations on the information or data.
- Data subject means an individual who is the subject of personal data or the person to whom the data relates.
- Personal data means data which relates to a living individual who can be identified. Addresses and telephone numbers are examples.
DSUK has a responsibility to protect such personal data, especially sensitive personal data that it collects from data subjects. DSUK is committed to helping and supporting the Down syndrome community. To successfully achieve this, we need to collate and store data including personal information to create, analyse, and report on subjects. These can include a range of subjects including but not limited to information around maternity experience, ongoing health and education care and input, names and addresses of our members and their families. Submitting such data is entirely at the discretion and choice of each data subject.
We believe in establishing a clear, transparent, and accountable approach to our data protection to ensure that all those who support and engage with DSUK can do so safe in the knowledge that we will apply the same values to our data protection as we do to all our work and will handle their personal data in a secure, transparent, and responsible manner with full respect for their privacy, in line with all relevant legal obligations.
DSUK follows the principles of data protection as detailed in the UK GDPR Act 2016. Data must:
- be fairly and lawfully processed. This means that an organisation must be truthful about what personal data they wish to collect and what they want to use it for.
- be obtained for specified and lawful purposes. This means that an organisation cannot use personal data for any purpose other than that stated when they collected the data.
- be adequate, relevant, and not excessive. This means that an organisation cannot ask for any data that is not immediately needed.
- be accurate and up to date. If data held about you is wrong or out of date, you have the right to have it corrected or deleted.
- not be kept for longer than is necessary. As soon as an organisation no longer needs your data, they must delete it.
- be processed in line with your rights. Your rights include the right to see any data held on you, and the right to correct inaccurate data.
- be held securely. This means safe from unauthorised access (e.g. with usernames and passwords), but also safe from accidental loss (by making backups).
- not be transferred to other countries outside the European Economic Area unless those countries have similar data protection laws.
Data we collect
DSUK collects data that data subjects provide to us, which is information that can be used to identify someone as an individual. DSUK will only do this when the data subject has agreed to the request for personal data. Data may include the following:
- Name and address
- Date of birth
- Health information
- Contact details
- Your bank or credit card details where you provide these to make a payment (processed by a third party)
How we protect personal data
DSUK follow applicable privacy and data security laws. DSUK may use third-party service providers (eg Salesforce, Survey Monkey and Stripe) to collect and maintain data. Appropriate and legal measures will be in place to protect the confidentiality and security of data.
DSUK will follow strict procedures and have many security features in place to protect data. However, as data transmission is not 100% secure, DSUK cannot guarantee the security of any information you transmit to us and therefore do so at your own risk.
Back ups of our data systems are held on an external hard drive which is securely stored to minimise the risk of accidental loss or theft.
How we use data
By providing personal data the charity may use your data to:
- Improve our services
- Campaign for better support and services
- Provide newsletters and updates
- Notify you of new events, training, fundraising campaigns or services we provide
- Ask for feedback
- Respond to your requests
- Keep in touch with our members / users
- Provide you with services, products or information requested
DSUK will:
- Only collect personal data to serve a specific purpose and only gather the minimum amount needed
- Will use only fair and lawful means to obtain the personal data
- Will be transparent with data subjects whose personal data we collect
- Will obtain a data. subject’s consent to process personal data
- Will not use personal data for a different purpose without getting the data subject’s consent
- Will update personal data where it is incorrect
- Ensure only authorised staff, trustees, and volunteers of DSUK will process personal data
- Will not hold any payment data
Sharing personal data
DSUK will only share personal data in compliance with applicable law. Special cases include:
- To identify, contact or bring legal action against someone
- Any request in connection with a criminal investigation by law enforcement authorities
DSUK will not sell or license your personal data to other third parties.
Photography and film
DSUK wishes to use photography, images, and film with your consent. The images can potentially be used across all media (such as newspapers, magazines, websites), or broadcast outlets, on social media, in publications, on our website, in printed or online fundraising materials, in fundraising, training resources and awareness resources or by our partners who help fund raise and/or raise awareness to support DSUK. You can ask us to stop using this any time.
Case Studies: Photography, images and film created for case studies are collected and used with your consent. We will discuss with you how your, and/or your child’s, image and information is going to be used and ensure you are happy for it to be used in this way. You can ask us to stop using this any time.
Event Photography: Where an event is organised by DSUK, we will notify you in advance that photographs will be taken, and you will be given the opportunity to advise if you do not wish to be photographed.
If you do not want your photograph taken, please either tell the photographer at the time, if it is convenient to do so, or contact DSUK before the event. You can change your mind at any time.
Where the event is organised by a third party, we will use photography from the event under our legitimate interests. We will be clear in our terms and conditions of entry if this is the case. If you do not want your photograph taken, please either tell the photographer at the time, if it is convenient to do so, or contact DSUK after the event.
At some events there may be photographers present who represent the media or the event organiser and for whom DSUK is not responsible. Please review the terms and conditions issued by the event organiser for more information and inform the event organiser of your preferences and wishes in respect of photography taken.
Equality and diversity monitoring
We are committed to ensuring that we value our differences and benefit from diversity of thought, background, and experience by reflecting the diversity of those that we work with and for.
For some case studies or surveys, we will ask you to provide equality, diversity, and inclusion data, called diversity monitoring data. Diversity monitoring data is provided to us directly by you and only where you choose to provide it. We will never require you to submit this information.
Diversity monitoring data is special category data under the UK GDPR and includes information regarding:
- Ethnicity
- Health data, including information about disability
- Sexuality and gender identification, including reassignment
- Religious beliefs
We collect and process diversity monitoring data for reasons of substantial public interest to ensure compliance with the Equality Act 2010, and to monitor and promote equal opportunities and treatment to all.
Your data is used in an anonymised format for equal opportunities monitoring and to compare representation of our community. It may be published as anonymised statistics or reported in an anonymised format to comply with legal and regulatory responsibilities, including those under the Equality Act 2010.
It is not used or published in a way that could identify.
Marketing and communications
We use marketing communications to keep you up to date with what we are doing, how you can get involved, and news and features about DSUK which we feel will be of interest to you. This may include but is not limited to newsletters, surveys, financial appeals, raffle appeals, fundraising opportunities, or updates about DSUK.
Social media
DSUK uses social media to communicate with you and share information about campaigns or events. Currently we use Facebook, Twitter, TikTok, LinkedIn and Instagram. We do this through advertising on our social media or through posting messages and information on our own social media pages which you may choose to “like”, “follow” or interact with.
We take your privacy and rights seriously but still deem your interest to us important. For this reason, we use our legitimate interest to use your information and communicate with you in this way. Therefore, we will not ask for your permission to market to you through social media, but you are always free to inform us that you do not want us to contact you in this way. You can also update your preferences within the social media site to stop receiving marketing.
Our websites use cookies, as almost all websites do, to provide you with the best experience we can. Cookies are small text files that are placed on your computer or mobile phone that distinguish you from other users of the website. By continuing to browse the website, you are agreeing to our use of cookies.
Our cookies help us:
- Make our website work as you’d expect.
- Remember your settings between visits.
- Improve the speed and security of the site.
We do not use cookies to:
- Collect any personal information (without your express permission).
- Collect any sensitive information (without your express permission).
- Pass data to advertising networks.
- Pass personal information to third parties.
- Pay sales commissions.
Turning Cookies off
You can configure your web browser to refuse cookies, to delete cookies, or to be informed if a cookie is set. You can find out how to do this by clicking `help` on your browser menu.
You should note that by deleting or blocking cookies, the website may not function correctly, and you may not be able to access certain areas.
It may be that your concerns around cookies relate to so called `spyware`. Rather than switching off cookies in your browser you may find that anti-spyware software achieves the same objective by automatically deleting cookies considered to be invasive.
We use Google Analytics to help monitor and analyse use of our websites. To opt out of being tracked by Google Analytics across all websites, visit
Changes to Cookies
We may change this Cookie Statement at any time. If we make material changes to the way in which we use cookies, we will let you know either by posting the changes on the Website and/or in this Policy Statement. It is important that you review any of these changes. If you do not wish to agree to these changes, then we cannot continue to provide the website to you, and your only option is to stop accessing the website. For more information on cookies please visit
Links to other websites
The DSUK website may provide links to other websites. If you navigate to another site via the DSUK website, DSUK is not responsible for how these websites collect and use your personal data or the content of the websites. Please view the data protection policies for the website you are on before entering any data. This Policy does not apply to any other websites.
Subject access
The Data Protection Acts entitles all data subjects a right of access to their own personal data.
Anyone who has personal data held by the Charity has the right to make a subject access request. This could be to update, correct or remove your personal data at any time. DSUK will deal promptly with subject access requests.
DSUK complies with GDPR by providing the following rights for individuals:
• the right to be informed
• the right to access to a copy of their personal data
• the right of rectification of data
• the right of erasure (or right to be forgotten)
• the right to restrict processing
• the right to data portability (in relation to processing by automated means)
• the right to object to processing
• rights in relation to automated decision-making and profiling.
The right to be informed encompasses DSUK’s obligation to provide information on how personal data is collected and used (‘fair processing information’), typically through the DSUK’s privacy notice, which can be found DSUK Privacy and GDPR Policy – Down Syndrome UK, and to be transparent in how personal data is used.
With regard to the right of access, DSUK will provide confirmation that the data is being processed and, if requested, grant access to personal data free of charge within 28 days of receiving the request (this can be extended by a further month if the request is complex or onerous).
Under the right of rectification, DSUK will correct any inaccurate or incomplete data within 28 days of notification. DSUK will also inform any third parties, if applicable, of these rectifications.
In compliance with the right to erasure, DSUK will delete data under the following specific circumstances:
• Personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
• An individual withdraws their consent.
• The individual objects to the processing and there is no overriding legitimate interest for continuing processing.
• The personal data was unlawfully processed.
• The personal data has to be erased to comply with a legal obligation.
• The personal data is processed in relation to online services to children.
DSUK will ensure that, in certain circumstances, the right to restrict processing of personal data is satisfied. This can include situations where data may be inaccurate or where the individual has objected to the processing, and DSUK is considering whether its legitimate grounds for processing data override the rights of the individual.
Under the right to data portability, an individual can ask for their data in a form that can easily and securely be transferred from one IT environment to another. DSUK would ensure that data held can be securely transferred if a request is made.
Under the right to object, DSUK will stop processing personal data where there is an objection unless there are compelling legitimate grounds to continue processing data, or if the processing is for the establishment, exercise or defense of legal claims. DSUK will stop processing personal data for direct marketing purposes as soon as an objection is received. The right to object is included in the DSUK’s privacy notice.
DSUK will secure personal data in a way that is proportionate to the risk to the interests and rights of the individual and ensuring that it cannot be used to discriminate against the individual.
Should an individual wish to exercise any of the above rights, they can do so by contacting the Operations Manager at On request from an individual, the Operations Manager will supply details of what information is held, why it is held and to whom it may be disclosed. A copy of the relevant record of data on the individual may be supplied.
DSUK will aim to comply with requests for access to personal data records within one month.
IMPORTANT: Breaches of procedure or loss of data
Any breach of confidentiality should be reported to the Operations Manager, who will then appoint an appropriate independent person (e.g. a member of the board of trustees or a senior member of staff) to investigate the matter. If, following a written summary of findings, the Operations Manager finds that a breach has occurred, they have the discretion to take appropriate action within 28 days. This may include consideration of pursuing disciplinary action or, in the case of a volunteer, asking the person to withdraw from DSUK’s service.
DSUK will continually update this policy to ensure it follows all changes in applicable laws.
DSUK is always seeking to implement best practice and strives for the highest standards. DSUK operates an “open door” policy to discuss any concerns about the implementation of this policy or related issues – see Complaints Policy.
There is a right to make a complaint to the Information Commissioner’s Office (ICO), but under most circumstances the ICO would encourage the complainant to raise the issues in the first instance with DSUK
The ICO is contactable at: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
Telephone: 0303 123 1113.
Legislation and guidance
This policy considers the following:
- The General Data Protection Regulation (GDPR) 2018
- The Data Protection Act (DPA) 2018
- The Protection of Freedoms Act 2012
- Guidance published by the Information Commissioner’s Office
Our contact details
If you have any questions or queries about this Privacy Notice, please contact us:
We will regularly review and update this document.
Significant changes will be notified through an announcement on our website.