Privacy policy - National Migraine Centre

Who we are

At National Migraine Centre, we respect your privacy and are committed to protecting your personal data. Please read this policy, which explains how we collect personal data, what we do with it and the measures we take to protect it and what controls you have over your personal data.

Unless otherwise stated, references in this Privacy Policy to we, us and our, are references to the National Migraine Centre.

This Privacy Policy covers our use of your personal data when you: (i) use our website; (ii) complete an online booking request or other form on our website; (iii) subscribe to our newsletter; (iv) communicate with us (including via our feedback form: compliments and complaints) by email or by phone or by other means (such as social media); (v) make a donation (including gift aid); (vi) volunteer or fundraise with us; or (vii) participate in online research or surveys.

National Migraine Centre is what’s known as the ‘data controller’ of the personal data you provide to us. Your relationship with us determines how much data we collect from you. We will only ever collect the data needed to provide you with advice and services.

We will be very clear with you about the reason for collecting data and how we intend to use, share and store that data at the point we collect it.

Children

If you are under 16 please ensure you obtain your parent/guardian’s consent before sending any personal data to the National Migraine Centre.

How we collect and use your personal data

Data Collection and Usage

The text below sets out how we collect your personal data, the types of personal data and how this personal data is used.

1 Personal data that you provide to us when subscribing to the National Migraine Centre newsletter includes:

Name; and
Email address.

We use this personal data in order to:

send you an e-newsletter periodically containing information and updates relating to our services and latest headache news; and
send invitations by email to fundraising events and appeals. Please see the terms and conditions relating to such events for further details.

We gather statistics around email opening and clicks using industry standard technologies including clear gifs to help us monitor and improve our e-newsletter.

2 Personal data we collect if you are Fundraising for us including:

Name and contact details

We use this personal data in order to:

Send you information about our fundraising activities.

3 Information you provide to us when completing the Book a Headache Masterclass Form includes:

Name and contact details

We use this personal data in order to:

Process and administer your booking; and
Discuss designing a bespoke programme to meet your needs.

4 Information you provide to us when completing the [HIT-6 score] includes:

Your contact details (name, email address and phone number);
Date of birth; and
Information to measure the impact migraine has on your day to day ability to function.

We use this personal data in order to:

Measure the impact that headaches have on your ability to function at work, at school, at home and in social situations.

5 Information you provide to us when completing the Botox Consent Form and/or the Greater Occipital Nerve (GON) Block Consent Form includes:

Your contact details (name, address and phone number);
Date of birth;
GP details; and
Current medications being taken/ recently taken

We use this personal data in order to:

Administer the clinical services we offer you; and
Obtain your consent to Botox or GON Block procedures.

6 When you make a donation.

If you contact us to make a donation we will collect your credit/debit card details (we will not store these details) and/or collect your bank account details to process the donation (including to set up direct debit payments).

Information you provide to us when completing the Gift Aid declaration includes:

Your contact details (name, address, email address, and phone number); and
Date of birth

We use this personal data in order to:

claim tax on the donations made by UK taxpayers.

8 Information you provide to us when completing our Online Booking Request includes:

Your contact details (name, email address, address and phone number);
Date of birth; and
If you are under 16, parent or guardian contact details (name, email address and phone number).

We use this personal data in order to:

Arrange consultations and appointments with a headache specialist or consultant neurologist;
Send you information and updates relating to:
– the National Migraine Centre;
– our fundraising appeals;
– latest treatment options and headache news; and
– how you can get involved in supporting our work,
where you have consented to receiving this information.
Send you marketing, including our newsletters and invitations to enter prize draws and attend master classes and fundraising events where you have consented to receiving this information.

9 Personal data you provide to us in relation to our Will Writing Service including:

Your contact details (name, email address, address and phone number) through a third party Will
Writing Service website; and
The amount of the legacy and the date you made the will.

We use this personal data in order to:

Provide your information to a third party will writing provider (Make a Will Online);
Offer a free online wills service through makeawillonline.co.uk. All wills are checked by a fully qualified solicitor.

10 Personal data that you provide us in [response to online research or surveys] includes:

Your contact details (name, email address, address and phone number); and
The details of your response to the online research or surveys.

We use this personal data in order to:

obtain feedback on your interaction with our website, our services and your customer experience to improve our services; and
conduct and administer research and surveys.

11 Information when you communicate with us whether through our website by email (including via the Feedback Form: compliments and complaints), by phone, by social media or by any other means including:

Your contact details (name, email address, address, phone number and social media handle or user name);
The details of your communications with us; and
The details of our messages to you.

We use this personal data in order to:

Respond to requests for information about our services (including queries relating to joining our team);
Answer any questions, issues or concerns;
Monitor communications for quality and training purposes;
Develop new services; and
Improve our services.

12 Personal data that we collect through your use of our website including:

Device information such as operating system, unique device identifiers, the mobile network system;
traffic data;
weblog statistics;
Hardware and browser settings;
Page requests;
The requests you make;
The pages you visit and search engine terms you use; and
IP address.

For further information on our use of cookies see our Cookie Policy.

We use this personal data in order to:

Analyse use of the website such as pages visited and number of visitors.
Operate our website;
Tailor our communications to you and improve our website;
Provide and adapt our website to the technical capabilities of user devices;
Personalise our website content and digital advertising;
Identify issues with the website and the user’s experience of it; and
Monitor and analyse the way our website is used.

13 Personal data that we collect through Facebook Adverts including:

Age and gender; and
Country and region

Our Facebook Adverts use the Facebook Pixel Service of Facebook Inc. 1601 S.California Avenue, Palo Alto, CA94304. USA (Facebook).

For further information please read our Cookie Policy and Facebook’s privacy policy and Facebook’s cookie policy.

We use this personal data in order to:

Personalise our digital advertising;
Deliver adverts to website visitors who have a Facebook account as well as find Facebook customers with similar interests to the people who visit our website;
Measure the effectiveness of our Facebook ad campaigns for statistical and market research purposes, which in turn, helps ensure that we’re using our resources effectively.; and
Find out more about the actions of users after they are redirected to our website.

Special category personal data

Certain types of personal data are more sensitive than others. This special category personal data about you includes information about health, disability, race, ethnicity, criminal offences (or alleged offences), political opinions, biometrics or religion.

We may collect and receive special category personal data about you. We have identified below the types of special category personal data we may collect or receive, how we will use it and why we will use it.

1 Information you provide to us when completing our Online Booking Request includes:

Whether you are registered with a UK GP;
Details of your medical history and any previous diagnosis and treatment;
Details of your headache symptoms; and
Details of any medical conditions.

We use this personal data in order to:

Internally triage your request and administer the clinical services we offer you, including arranging an appointment with a headache specialist or consultant neurologist; and
Enable our clinicians to prescribe medication and make informed treatment recommendations.

2 Information you provide to us when completing the Headache Diary includes:

Your contact details (name, email address, address and phone number);
Details of your headache symptoms; and
Other health and medical data provided in the Headache Diary;

We use this personal data in order to:

Enable our clinicians to monitor, diagnose and treat your headache.

3 Information you provide to us when completing the Medication Form includes:

Your contact details (name, email address, address and phone number);
Details of your headache symptoms, medication taken and any brain scans received; and
Other health and medical data;

We use this personal data in order to:

Enable our clinicians to prescribe medication, diagnose your headache and make informed treatment recommendations

4 Information you provide to us when completing the Botox Consent Form and/or the Greater Occipital Nerve (GON) Block Consent Form includes:

Details of your GP (GP name and GP surgery address); and
Details of any medications being taken or recently taken.

We use this personal data in order to:

Administer the clinical services we offer you; and
Obtain your consent to Botox or GON Block procedures.

Why we use personal data

We rely on the following lawful bases under data protection law for our use of your personal data:

Consent: you have given your consent to the processing (for example if you consent to receiving newsletters or direct marketing from us);
Performance of a contract: it is necessary for the performance of and compliance with your contract with us or in order to take steps prior to entering into that contract (for example as required to arrange consultations and appointments with a headache specialist or consultant neurologist);
Legal or Regulatory Obligation: we need to process your personal data in order to comply with a legal or regulatory obligation; or
Legitimate Interests: it is necessary for our legitimate interests (or those of a third party). Please see section “When do we have legitimate interests?” below for more information.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Where we process your special category personal data (such as health data) we rely on the following lawful bases under data protection law:

Explicit consent: you have given your explicit consent to the processing (for example the collection of your medical history when you fill in the Online Booking Request); or

When do we have legitimate interests?

We use your personal data where this is necessary for our legitimate interests (or those of a third party). This includes where use of your personal data is necessary to:

Raise funds for National Migraine Centre’s charitable causes;
Administer and operate the National Migraine Centre and for internal record keeping;
Contact you regarding donations you have made, applications you have submitted, or the online content you have signed up for;
Research, analyse and improve National Migraine Centre and our work;
Maintain a public profile on both traditional and social media;
Ensure effective administration and management of our website;
Facilitate treatments and appointments between patients and clinicians;
Understand how individuals use our website and improving our website;
Understand and respond to queries, complaints and feedback;
Ensure network and information security; and
Enforce our legal rights and manage any dispute and legal claims and take legal or other professional advice.

Retaining your personal data

We hold your personal data only as long as necessary for each reason that we use it.

We have set out how long we will typically keep certain types of personal data below:

Prospective patients (sending booking requests)

Deleted annually (after they have left the waiting list for an appointment)

Patients (received an appointment)

A minimum of 20 years after we have been notified of the death of a patient.

Temporary information held by Typeform or other form hosting companies will be deleted annually.

Medical research participant

A minimum of 20 years after the conclusion of the research.

Survey respondent

Five years.

Recipients of marketing and fundraising materials

When marketing/fundraising emails are sent, opt outs are provided. Data will be held until an opt out is received.

Recipients of networking, professional education, training and conferences information

When marketing/fundraising emails are sent, opt outs are provided. Data will be held until an opt out is received.

Donors (to receive donations / payments)

The National Migraine Centre holds no financial information. Where patients consent to make a donation/payment, agents such as Opayo and JustGiving process data. The information will be held and used for as long as permitted for legal, regulatory, fraud prevention and legitimate business purposes.

Donors (to claim Gift Aid, at the request of the donor)

When payment is made through JustGiving, it is JustGiving that collects and processes Gift Aid and all data is stored there. Where a gift has been made via Opayo, the charity records Gift Aid status and passes this to HMRC, via our accountant, in line with statutory regulation. The information will be held and used for as long as permitted for legal, regulatory, fraud prevention and legitimate business purposes and at least six years.

Legal requirements

Your personal data may be processed if it is necessary on reasonable request by a law enforcement or regulatory authority, body or agency or in the defence of a legal claim. We will not delete personal data if relevant to an investigation or a dispute. It will continue to be stored until those issues are fully resolved.

Sharing your data

Your personal data will be processed by employees and volunteers of the National Migraine Centre.

There are also certain circumstances where we will transfer your personal data to third parties. These include:

Clinicians (including consultant neurologist, headache specialist GP or headache specialist nurse) and other contractors in order to administer the clinical services we offer to you;
your GP, consultant or other medical specialists (including pharmacists), in certain circumstances where you have consented to us sharing this information;
Third party legal advisors, in order to process will writing services where you have consented to us sharing this information;
Insurance providers and underwriters relating to private health insurance cover where you have consented to us sharing this information;
Third party vendors such as fundraising platforms, banks and payment providers and e-marketing providers;
Other service providers – Third parties may process your personal data on our instructions. These include IT suppliers (including website, software and app providers), cloud hosting providers, database providers, backup and disaster recovery specialists and email providers;

Our suppliers, third party vendors and service providers will be required to meet appropriate standards on processing information and security when processing your personal data. The information we provide them, including your information, will only be processed in connection with the performance of their function. They will not be permitted to use your information for any purposes other than those outlined in this Privacy Policy.

Your personal data may be transferred to other third party organisations in certain scenarios, such as:

If we’re discussing selling or transferring part or all of our organisation – the information may be transferred to prospective purchasers under suitable terms as to confidentiality;
If we are reorganised or sold, information may be transferred to a buyer who can continue to provide services to you;
If we’re required to by law, or under any regulatory code or practice we follow, or if we are asked by any public or regulatory authority – for example the Police e.g. in order to assist fraud protection and minimise credit risk;
If we are defending a legal claim your information may be transferred as required in connection with defending such claim; or
If we run an event in partnership with other named organisations, your personal data may need to be shared. We will be very clear what will happen to your personal data when you register for such event.

Some of the third parties with which we share your personal data will act as separate data controllers. This means that they will process your personal data for their own purposes – please see the privacy notices of the relevant third party for further details.

Your personal data may be shared if it is made anonymous and aggregated, as in such circumstances the information will cease to be personal data.

We will never sell or rent your personal data to other organisations.

Where is your data stored?

Personal data we process is processed and stored within the UK or European Economic Area (EEA).

We may transfer your personal data to locations outside of the UK and EEA. However, to ensure your personal data is protected in accordance with EU and UK data protection law we will only transfer data outside the UK and EEA where appropriate safeguards as required by applicable data protection law are in place. This includes where a jurisdiction has been deemed adequate by the EU or UK or, where there is no adequacy decision, by putting in place Standard Contractual Clauses.

Please contact us at admin@nationalmigrainecentre.org.uk if you would like further information on the specific safeguards used by us when transferring your personal data.

Securing your data

The transmission of information via the internet is not completely secure and therefore we cannot guarantee the security of data sent to us electronically and the transmission of such data is entirely at your own risk.

We have however put in place security measures to prevent your personal data from being accidentally lost, used, altered, disclosed, or accessed without authorisation. We ensure that only those employees and volunteers, who need access to your personal data as part of their role, are given access. They will only process your personal data on our instructions and our contracts ensure that the data is kept confidential.

We have procedures in place to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach if we need to.

What are your rights?

You have a number of rights about how we handle your personal data. These rights are not applicable in all circumstances and exemptions may apply. Your rights may include the following:

Transparency: you are entitled to be informed how we use your personal data – that is the purpose of this Privacy Policy.
Access: you are entitled to ask us if we are processing your personal data and, if we are, you can request access to your personal data (commonly known as a data subject access request).
Correction: you are entitled to request that any incomplete or inaccurate personal data we hold about you is corrected.
Restriction: you are entitled to ask us to suspend the processing of certain of your personal data about you, for example if you want us to establish its accuracy.
Erasure: you are entitled to ask us to delete or remove personal data in certain circumstances (right to be ‘forgotten’). There are also certain exceptions where we may refuse a request for erasure, for example, where the personal data is required for compliance with law or in connection with claims.
Objection: where we are processing your personal data based on a legitimate interest (or those of a third party) you may object to processing on this ground. However we may be entitled to continue processing your information based on our legitimate interests.
Transfer: you may request the transfer of certain of your personal data to another party in certain circumstances or obtain and reuse your personal data for your own purposes.
Withdraw consent: where you have provided your consent to the collection and processing of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time.

If you would like to know more about your rights under data protection law, you can find out more at the Information Commissioners Office website.

You also have a right to lodge a complaint with a supervisory authority. In the UK you can make a complaint to the Information Commissioner’s Office (Tel: 0303 123 1113 or at www.ico.org.uk).

Direct Marketing

We may send you direct marketing by:

Email if you have given your consent:
– to marketing relating to our services. This includes our newsletters, invitations to enter prize draws and attend master classes and fundraising events; and
– to marketing relating to third party products or services that may be of interest; and
phone or post. If you do not wish to receive direct marketing by phone or post you can opt-out at any time.

If you do not want us to use your personal data for the purposes of direct marketing you can withdraw your consent at any time by:

contacting admin@nationalmigrainecentre.org.uk; or
in respect of our newsletter and email marketing, using the unsubscribe option in any of our newsletters or emails.

Please note that if you choose not to consent to direct marketing or withdraw your consent to direct marketing we will still communicate with you in relation to your appointments and other service related messages. For example, confirmation or cancellation of appointments.

If you fail to provide the personal data requested

If you fail to provide the personal data requested where we need the personal data for either legal or accounting purposes or to fulfil our contract with you, we may need to cancel your services. Before cancelling your services, we will notify you that you are required to provide the missing personal data and give you a further reminder before cancellation.

Cookies and similar technologies

When you are browsing our website, we have cookies in place, which provide information on how you navigate the site and the pages you visit. You will be given the option to agree to these cookies when you visit the website. We also have some essential cookies in operation, which help the website work well, you can block these but it may affect the website’s ability to respond correctly and load pages etc.

Please see our Cookie Policy for more information relating to our use of cookies and similar technologies on this website.

Links to other websites

In order to be able to provide you additional services such as information on migraine research and treatment, will writing services, fundraising platforms and other migraine charities we may link to other websites. Where we have a contract in place for the services, we take steps to ensure that your personal data is secure and only used in the way we prescribe. For other third-party websites, we will make clear that you are being redirected. These websites should have their own privacy policies which you should check.

We suggest that you review the privacy policies for any third-party websites you visit as we cannot accept any liability for the way they manage your personal data as we have no control over them.

Changes to the policy

We may change this Privacy Policy from time to time and it is available on our website. Please check back frequently; you will be able to see when this Privacy Policy was last updated by looking at the date at the end of this Privacy Policy. If we make changes to this Privacy Policy, we will post the updated version on our website.

If we make a change that significantly affects your rights or, to the extent we are permitted to do so, significantly changes how or why we use personal data, we will notify you by way of a prominent notice on our website or, if we have your email address, by email.

How to contact us

If you wish to talk through anything in our privacy policy or find out more or exercise any of these rights, please contact us by emailing info@nationalmigrainecentre.org.uk and we will be happy to help.

About Us

National Migraine Centre is registered with the Data Commissioner’s Office as a Data Controller. Our registration number is 1115935.

National Migraine Centre is a company registered in England and Wales. Registered company number: 1115935 whose registered office is 999 Medical Centre, 999 Finchley Road, London, NW11 7HB.

Last updated: August 2022

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_1BDRT8PSYL	2 years	This cookie is installed by Google Analytics.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.