Privacy policy

Who we are

At National Migraine Centre, we respect your privacy and are committed to protecting your personal data. Please read this policy, which explains how we collect personal data, what we do with it, the measures we take to protect it and what controls you have over your personal data.

Unless otherwise stated, references in this Privacy Policy to we, us and our, are references to the National Migraine Centre.

The National Migraine Centre is what’s known as the ‘data controller’ of the personal data you provide to us. Your relationship with us determines how much data we collect from you. We will only ever collect the data needed. We will be very clear with you about the reason for collecting data and how we intend to use, share and store that data.

About this policy

This Privacy Policy covers particularly our use of your personal data when you interact with us via the website, or by email, telephone or social media. This includes when you: (i) use our website; (ii) complete an online booking request or other form on our website; (iii) subscribe to our newsletter; (iv) communicate with us (including via our feedback form) by email or by phone or by other means (such as social media); (v) make a donation (including Gift Aid); (vi) volunteer or fundraise with us; or (vii) participate in online surveys, or (viii) receive an offer of an appointment.

These categories give an overview of how we relate to the data you may share with us as a member of the public. For more specific details of our protocols and processes for how we store and process your data, or for information about data usage for other categories of individual (such as those applying for staff roles, employees or contractors), please contact us to request a copy of our full Data Protection Policy, which is available on request.

The Data Protection Policy also provides greater detail on our approach to data, particularly should you become a patient of the National Migraine Centre. Explicit consent is always sought ahead of an appointment with details of how data will be processed.

Children

If you are under 16, please ensure you obtain your parent/guardian’s consent before sending any personal data to the National Migraine Centre.

Data collection and usage

The text below sets out how we collect your personal data, the types of personal data and how this personal data is used.

1 Personal data that you provide to us when subscribing to the National Migraine Centre newsletter includes:

  • Name; and
  • Email address.

We use this personal data in order to:

  • send you an e-newsletter periodically containing information and updates relating to our services and latest headache news; and
  • send invitations by email to fundraising events, products and appeals. Please see the terms and conditions relating to such events for further details.

We gather statistics around email opening and clicks using industry standard technologies including clear gifs to help us monitor and improve our e-newsletter.

2 Personal data we collect if you are Fundraising for us including:

  • Name and contact details

We use this personal data in order to:

  • Send you information about our fundraising activities.

3 Information you provide to us when completing the Book a Headache Masterclass Form includes:

  • Name and contact details

We use this personal data in order to:

  • Process and administer your booking; and
  • Discuss designing a bespoke programme to meet your needs.

4 Information you provide to us when completing the pre-appointment information forms (including HIT-6 form, headache diary and medication report) includes:

  • Your contact details (name, email address and phone number);
  • Date of birth; and
  • Information to measure the impact migraine has on your day to day ability to function.
  • Previous experience of headache and treatment options

We use this personal data in order to:

  • Measure the impact that headaches have on your ability to function at work, at school, at home and in social situations, and to deliver services to you.

5 Information you provide to us when completing the treatment consent forms includes:

  • Your contact details (name, address and phone number);
  • Date of birth;
  • GP details; and
  • Current medications being taken/ recently taken
  • Health information

We use this personal data in order to:

  • Administer the clinical services we offer you; and
  • Obtain your consent to receive treatment.

6 When you make a donation.

If you contact us to make a donation we will collect your credit/debit card details  and/or collect your bank account details to process the donation (including to set up direct debit payments) through third party providers. The National Migraine Centre will not store these details, although they may be stored by third party agencies to facilitate payment transactions. You may ask for details of the agency used to facilitate payments or donations.

Information you provide to us when completing the Gift Aid declaration includes:

  • Your contact details (name, address, email address, and phone number); and
  • Date of birth

We use this personal data in order to:

  • claim tax on the donations made by UK taxpayers.

8 Information you provide to us when completing our Online Booking Request includes:

  • Your contact details (name, email address, address and phone number);
  • Date of birth; and
  • If you are under 16, parent or guardian contact details (name, email address and phone number);
  • Health information.

We use this personal data in order to:

  • Arrange consultations and appointments with a headache specialist and deliver healthcare services;
  • Where specific consent has been provided to receive further contacts, we may also send you information and updates relating to:
    – the National Migraine Centre, our services and treatments;
    – fundraising, marketing, prize draws and events;

– latest treatment options and headache news.

9 Personal data you provide to us in relation to our Will Writing Service including:

  • Your contact details (name, email address, address and phone number) through a third party Will Writing Service website; and
  • The amount of the legacy and the date you made the Will.

We use this personal data in order to:

  • Provide your information to a third party will writing provider;
    Offer a free online Wills service.

10 Personal data that you provide us in response to online surveys includes:

  • Your contact details (name, email address, address and phone number); and
    The details of your response to the online research or surveys.

We use this personal data in order to:

  • obtain feedback on your interaction with our website, our services and your customer experience to improve our services; and
  • conduct and administer surveys that may be used to support improvements in healthcare, or for advocacy or marketing purposes.

11 Information when you communicate with us whether through our website by email (including via the feedback form), by phone, by social media or by any other means including:

  • Your contact details (name, email address, address, phone number and social media handle or user name);
  • The details of your communications with us; and
  • The details of our messages to you.

We use this personal data in order to:

  • Respond to requests for information about our services (including queries relating to joining our team);
  • Answer any questions, issues or concerns;
  • Monitor communications for quality and training purposes;
  • Develop new services; and
  • Improve our services.

12 Personal data that we collect through your use of our website including:

  • Device information such as operating system, unique device identifiers, the mobile network system;
  • traffic data;
  • weblog statistics;
  • Hardware and browser settings;
  • Page requests;
  • The requests you make;
  • The pages you visit and search engine terms you use; and
    IP address.

For further information on our use of cookies see our Cookie Policy.

We use this personal data in order to:

  • Analyse use of the website such as pages visited and number of visitors.
  • Operate our website;
  • Tailor our communications to you and improve our website;
  • Provide and adapt our website to the technical capabilities of user devices;
  • Personalise our website content and digital advertising;
  • Identify issues with the website and the user’s experience of it; and
  • Monitor and analyse the way our website is used.

13 Personal data that we collect through Facebook Adverts including:

  • Age and gender; and
  • Country and region

Our Facebook Adverts use the Facebook Pixel Service of Facebook Inc. 1601 S.California Avenue, Palo Alto, CA94304. USA (Facebook).

For further information please read our Cookie Policy and Facebook’s privacy policy and Facebook’s cookie policy.

We use this personal data in order to:

  • Personalise our digital advertising;
  • Deliver adverts to website visitors who have a Facebook account as well as find Facebook customers with similar interests to the people who visit our website;
  • Measure the effectiveness of our Facebook ad campaigns for statistical and market research purposes, which in turn, helps ensure that we’re using our resources effectively.; and
  • Find out more about the actions of users after they are redirected to our website.

Special category personal data

Certain types of personal data are more sensitive than others. This special category personal data about you includes information about health, disability, race, ethnicity, criminal offences (or alleged offences), political opinions, biometrics or religion.

We may collect and receive special category personal data about you. We have identified below the types of special category personal data we may collect or receive, how we will use it and why we will use it.

1 Information you provide to us when completing our Online Booking Request includes:

  • Whether you are registered with a UK GP;
  • Details of your medical history and any previous diagnosis and treatment;
  • Details of your headache symptoms; and
  • Details of any medical conditions.

We use this personal data in order to:

  • Internally triage your request and administer the clinical services we offer you, including arranging an appointment with a headache specialist or consultant neurologist; and
  • Enable our clinicians to prescribe medication and make informed treatment recommendations; and
  • Improve headache treatment.

2 Information you provide to us when completing the Headache Diary and HIT-6 report includes:

  • Your contact details (name, email address, address and phone number);
  • Details of your headache symptoms; and
  • Other health and medical data provided in the Headache Diary;

We use this personal data in order to:

  • Enable our clinicians to monitor, diagnose and treat your headache.

3 Information you provide to us when completing the Medication Form includes:

  • Your contact details (name, email address, address and phone number);
  • Details of your headache symptoms, medication taken and any brain scans received; and
  • Other health and medical data;

We use this personal data in order to:

Enable our clinicians to prescribe medication, diagnose your headache and make informed treatment recommendations

4 Information you provide to us when completing the treatment forms includes:

  • Details of your GP (GP name and GP surgery address); and
  • Details of any medications being taken or recently taken.

We use this personal data in order to:

  • Administer the clinical services we offer you; and
  • Obtain your consent to Botox or GON Block procedures.

5 Information you provide to us when participating in the Registry Project includes:

  • Contact details;
  • Personal data; and
  • Health data.

We use this personal data in order to:

  • Monitor prescribing practices and patient outcomes;
  • Streamline and improve patient data collection, and patient experience;
  • Reduce workloads and improve efficiency; and
  • Conduct research and for publication

Registry data is behind two-factor authentication for access by staff or clinicians. Patients can access the data with a username, password and security question combination. However, unlike our main patient records storage, use of the registry is optional and patients can choose to skip providing pre- and post-appointment assessment if they choose, sharing case history and other information verbally with their clinician during the consultation. The clinician will use data provided through the registry (and/or verbally during the consultation or optionally provided by the patient by other means) to create a medical report which is sent to the patient and, if they wish, to their GP also. These medical reports are stored securely in the main patient records database. At the point of sign up for the registry, patients will be provided with a detailed data statement, covering how data is used, stored and its purposes, in order to ensure consent is adequately informed. Patients must accept this data statement before proceeding to opt in to use the registry.

Why we use personal data

We rely on the following lawful bases under data protection law for our use of your personal data:

  • Consent: you have given your consent to the processing (for example if you consent to receiving newsletters or direct marketing from us);
  • Performance of a contract: it is necessary for the performance of and compliance with your contract with us or in order to take steps prior to entering into that contract (for example as required to arrange consultations and appointments with a headache specialist or consultant neurologist);
  • Legal or Regulatory Obligation: we need to process your personal data in order to comply with a legal or regulatory obligation; or
  • Legitimate Interests: it is necessary for our legitimate interests (or those of a third party). Please see section “When do we have legitimate interests?” below for more information.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Where we process your special category personal data (such as health data) we rely on the following lawful bases under data protection law:

  • Explicit consent: you have given your explicit consent to the processing (for example the collection of your medical history when you fill in the Online Booking Request); or

When do we have legitimate interests?

We use your personal data where this is necessary for our legitimate interests (or those of a third party). This includes where use of your personal data is necessary to:

  • Raise funds for National Migraine Centre’s charitable causes;
  • Administer and operate the National Migraine Centre and for internal record keeping;
  • Contact you regarding donations you have made, applications you have submitted, or the online content you have signed up for;
  • Research, analyse and improve National Migraine Centre and our work;
  • Maintain a public profile on both traditional and social media;
  • Ensure effective administration and management of our website;
  • Facilitate treatments and appointments between patients and clinicians;
  • Understand how individuals use our website and improving our website;
  • Understand and respond to queries, complaints and feedback;
  • Ensure network and information security; and
  • Enforce our legal rights and manage any dispute and legal claims and take legal or other professional advice.

Retaining your personal data

We hold your personal data only as long as necessary for each reason that we use it.

We have set out how long we will typically keep certain types of personal data below:

Prospective patients (sending booking requests)

Data is reviewed once each calendar year. All personal data over 24 months since the last contact is then deleted (unless we have been asked by the subject to hold data for longer, or if patient remains on an active waiting list).

Patients (received an appointment)

Health records are held for a minimum of 20 years after we have been notified of the death of a patient, or since the last appointment or treatment.

Records will not be destroyed without the authorisation of the chief executive.

Patients (participated in Registry project)

As long as is necessary for the purposes detailed.

Medical research participant

A minimum of 20 years after the conclusion of the research.

Survey respondent

Data is reviewed once each calendar year. All personal data over five years old is then deleted.

Recipients of marketing and fundraising materials

When marketing/fundraising emails are sent, opt outs are provided. Data will be held until an opt out is received.

Recipients of networking, professional education, training and conferences information

When marketing/fundraising emails are sent, opt outs are provided. Data will be held until an opt out is received.

Donors (to receive donations / payments)

The National Migraine Centre holds no financial information. Where patients consent to make a donation/payment, agents such as Opayo and JustGiving process data. The information will be held and used for as long as permitted for legal, regulatory, fraud prevention and legitimate business purposes.

Donors (to claim Gift Aid, at the request of the donor)

When payment is made through JustGiving, it is JustGiving that collects and processes Gift Aid and all data is stored there. Where a gift has been made via Opayo, the charity records Gift Aid status and passes this to HMRC, via our accountant, in line with statutory regulation. The information will be held and used for as long as permitted for legal, regulatory, fraud prevention and legitimate business purposes and at least six years.

Legal requirements

Your personal data may be processed if it is necessary on reasonable request by a law enforcement or regulatory authority, body or agency or in the defence of a legal claim.  We will not delete personal data if relevant to an investigation or a dispute.  It will continue to be stored until those issues are fully resolved.

Sharing your data

Your personal data will be processed by employees and volunteers of the National Migraine Centre.

There are also certain circumstances where we will transfer your personal data to third parties. These include:

  • Clinicians (including consultant neurologist, headache specialist GP or headache specialist nurse) and other contractors  in order to administer the clinical services we offer to you;
  • your GP, consultant or other medical specialists (including pharmacies), in certain circumstances where you have consented to us sharing this information;
  • Third party legal advisors, in order to process will writing services where you have consented to us sharing this information;
  • Insurance providers and underwriters relating to private health insurance cover where you have consented to us sharing this information;
  • Third party vendors such as fundraising platforms, banks and payment providers and e-marketing providers;
  • Other service providers – Third parties may process your personal data on our instructions. These include IT suppliers (including website, software and app providers), patient management records and registry companies, cloud hosting providers, database providers, backup and disaster recovery specialists and email providers;

Further detail is available in our Data Protection Policy. Patients will be invited to provide consent prior to treatment or use of the registry, with a detailed statement on data use being made available at the point of consent.

Our suppliers, third party vendors and service providers will be required to meet appropriate standards on processing information and security when processing your personal data.  The information we provide them, including your information, will only be processed in connection with the performance of their function. They will not be permitted to use your information for any purposes other than those outlined in this Privacy Policy.

Your personal data may also be transferred to other third party organisations in certain scenarios, such as:

  • If we’re discussing selling or transferring part or all of our organisation – the information may be transferred to prospective purchasers under suitable terms as to confidentiality;
  • If we are reorganised or sold, information may be transferred to a buyer who can continue to provide services to you;
  • If we’re required to by law, or under any regulatory code or practice we follow, or if we are asked by any public or regulatory authority – for example the Police e.g. in order to assist fraud protection and minimise credit risk;
  • If we are defending a legal claim your information may be transferred as required in connection with defending such claim; or
  • If we run an event in partnership with other named organisations, your personal data may need to be shared. We will be very clear what will happen to your personal data when you register for such event.

Some of the third parties with which we share your personal data will act as separate data controllers. This means that they will process your personal data for their own purposes – please see the privacy notices of the relevant third party for further details.

Your personal data may be shared if it is made anonymous and aggregated, as in such circumstances the information will cease to be personal data.

We will never sell or rent your personal data to other organisations.

Where is your data stored?

Personal data we process is processed and stored within the UK or European Economic Area (EEA).

We may transfer your personal data to locations outside of the UK and EEA. However, to ensure your personal data is protected in accordance with EU and UK data protection law we will only transfer data outside the UK and EEA where appropriate safeguards as required by applicable data protection law are in place. This includes where a jurisdiction has been deemed adequate by the EU or UK or, where there is no adequacy decision, by putting in place Standard Contractual Clauses.

Please contact us at admin@nationalmigrainecentre.org.uk if you would like further information on the specific safeguards used by us when transferring your personal data.

Securing your data

The transmission of information via the internet is not completely secure and therefore we cannot guarantee the security of data sent to us electronically and the transmission of such data is entirely at your own risk.

We have however put in place security measures to prevent your personal data from being accidentally lost, used, altered, disclosed, or accessed without authorisation. We ensure that only those employees and volunteers, who need access to your personal data as part of their role, are given access. They will only process your personal data on our instructions and our contracts ensure that the data is kept confidential.

We have procedures in place to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach if we need to.

What are your rights?

You have a number of rights about how we handle your personal data. These rights are not applicable in all circumstances and exemptions may apply. Your rights may include the following:

  • Transparency: you are entitled to be informed how we use your personal data – that is the purpose of this Privacy Policy.
  • Access: you are entitled to ask us if we are processing your personal data and, if we are, you can request access to your personal data (commonly known as a data subject access request).
  • Correction: you are entitled to request that any incomplete or inaccurate personal data we hold about you is corrected.
  • Restriction: you are entitled to ask us to suspend the processing of certain of your personal data about you, for example if you want us to establish its accuracy.
  • Erasure: you are entitled to ask us to delete or remove personal data in certain circumstances (right to be ‘forgotten’).  There are also certain exceptions where we may refuse a request for erasure, for example, where the personal data is required for compliance with law or in connection with claims.
  • Objection: where we are processing your personal data based on a legitimate interest (or those of a third party) you may object to processing on this ground.  However we may be entitled to continue processing your information based on our legitimate interests.
  • Transfer: you may request the transfer of certain of your personal data to another party in certain circumstances or obtain and reuse your personal data for your own purposes.
  • Withdraw consent: where you have provided your consent to the collection and processing of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time.

If you would like to know more about your rights under data protection law, you can find out more at the Information Commissioners Office website.

You also have a right to lodge a complaint with a supervisory authority.  In the UK you can make a complaint to the Information Commissioner’s Office (Tel: 0303 123 1113 or at www.ico.org.uk).

Direct Marketing

We may send you direct marketing by:

  • Email if you have given your consent:
    – to marketing relating to our services. This includes our newsletters, invitations to enter prize draws and attend master classes and fundraising events; and
    – to marketing relating to third party products or services that may be of interest; and
  • Phone or post. If you do not wish to receive direct marketing by phone or post you can opt-out at any time.

If you do not want us to use your personal data for the purposes of direct marketing you can withdraw your consent at any time by:

  • contacting admin@nationalmigrainecentre.org.uk; or
  • in respect of our newsletter and email marketing, using the unsubscribe option in any of our newsletters or emails.

Please note that if you choose not to consent to direct marketing or withdraw your consent to direct marketing we will still communicate with you in relation to your appointments and other service related messages. For example, confirmation or cancellation of appointments.

If you fail to provide the personal data requested

If you fail to provide the personal data requested where we need the personal data for either legal or accounting purposes or to fulfil our contract with you, we may need to cancel your services. Before cancelling your services, we will notify you that you are required to provide the missing personal data and give you a further reminder before cancellation.

Transcription software

Clinicians may choose to use dictation tools during consultations – patients are notified of this during the online booking process and informed they have a right to refuse consent. Clinicians are made aware that:

  • The National Migraine Centre only allows clinicians to use Microsoft Word for the purposes of transcription, to ensure compliance and security standards
  • Transcriptions may only be saved within our own secure cloud storage system

Cookies and similar technologies

When you are browsing our website, we have cookies in place, which provide information on how you navigate the site and the pages you visit. You will be given the option to agree to these cookies when you visit the website. We also have some essential cookies in operation, which help the website work well, you can block these but it may affect the website’s ability to respond correctly and load pages etc.

Please see our Cookie Policy for more information relating to our use of cookies and similar technologies on this website.

Links to other websites

In order to be able to provide you additional services, such as information on migraine research and treatment, will writing services, fundraising platforms and other migraine charities we may link to other websites. Where we have a contract in place for the services, we take steps to ensure that your personal data is secure and only used in the way we prescribe. For other third-party websites, we will make clear that you are being redirected. These websites should have their own privacy policies which you should check.

We suggest that you review the privacy policies for any third-party websites you visit as we cannot accept any liability for the way they manage your personal data as we have no control over them.

Changes to the policy

We may change this Privacy Policy from time to time and it is available on our website. Please check back frequently; you will be able to see when this Privacy Policy was last updated by looking at the date at the end of this Privacy Policy. If we make changes to this Privacy Policy, we will post the updated version on our website.

This policy was developed alongside and in line with the standards set out in the charity’s Data Protection Policy, which can be made available on request (see ‘How to contact us’).

If we make a change that significantly affects your rights or, to the extent we are permitted to do so, significantly changes how or why we use personal data, we will notify you by way of a prominent notice on our website or, if we have your email address, by email.

How to contact us

If you wish to talk through anything in our privacy policy or find out more or exercise any of these rights, please contact us by emailing info@nationalmigrainecentre.org.uk and we will be happy to help.

About Us

National Migraine Centre is registered with the Information Commissioner’s Office as a Data Controller. Our registration  reference is Z1228547.

National Migraine Centre is a company registered in England and Wales. Registered company number: 1115935 whose registered office is 999 Medical Centre, 999 Finchley Road, London, NW11 7HB.

 

Last updated: August 2024