General Data Protection and Privacy Policy

Read the Policy

General Data Protection & Privacy Policy

Manchester Royal Infirmary Kidney Patients’ Association (MRIKPA)
Registered Charity No. 516871
Version 2.1 | Reviewed March 2026 | Next Review: March 2027

 

1. Introduction

Manchester Royal Infirmary Kidney Patients’ Association (MRIKPA), registered charity number 516871 and referred to throughout this document as ‘the Association’, is committed to protecting the personal information of its members, supporters, and anyone who interacts with us.

This policy explains how we collect, store, use, and share personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It applies to all personal data we hold, whether in digital or paper form.

We review this policy annually or whenever there is a significant change to how we process personal data.

 

2. Who This Policy Applies To

This policy applies to:

  • All current and former members of the Association
  • Trustees, volunteers, and committee members
  • Contracted agents and third-party service providers acting on behalf of the Association
  • Anyone who contacts us or whose details we hold for any reason connected with our charitable activities

 

3. Who We Are — Data Controller

The Association is the Data Controller for all personal data it holds. This means we determine why and how your personal data is used.

Our nominated Data Protection Lead is the Chair of the Association’s Committee. Concerns or requests relating to personal data should be directed to the Chair in the first instance. Contact details are available on our website at www.mrikpa.org.uk.

You may write to us at: MRIKPA, 12 Carrington Lane, Sale, M33 5ND

Note: In smaller charities such as ours, it is not a legal requirement to appoint a formal Data Protection Officer (DPO). We have instead designated a Data Protection Lead who oversees compliance with this policy.

 

4. What Personal Data We Hold

We collect and hold only the data necessary to operate our membership and deliver our services. This typically includes:

  • Full name
  • Postal address
  • Email address
  • Telephone number (where provided)
  • Membership preferences (e.g., print newsletter or digital)
  • Payment transaction records where a membership fee or donation is made (see Section 5)

 

Special Category Data (Sensitive Personal Information)

We do not ask for, or collect, special category data (such as medical records, health diagnoses, or clinical information) as part of our membership process.

However, as a kidney patients’ association, members or supporters sometimes choose to share health-related information when contacting us — for example, when asking for welfare support or describing their circumstances. Where this happens:

  • We use that information only to understand your situation and respond helpfully
  • We do not record it in our membership database or categorise it
  • We do not share it with any third party
  • It is treated with the utmost discretion and handled on a strictly need-to-know basis within the committee

In plain terms: if you tell us something personal about your health when reaching out to us, we will use it only to help you. We won’t file it, categorise it, or pass it on.

 

5. Payment Data

Membership fees and donations may be collected via PayPal or bank direct debit through our website or by other authorised methods. These payment channels are operated by independent, GDPR-compliant providers operating under their own published privacy policies.

The Association does not store payment card details, bank account numbers, or sort codes. Transaction records (including payer name, email address, amount, and date) are held within the relevant payment platform and are accessible only to authorised committee members and our contracted digital agent, for administration and Gift Aid recording purposes only.

Where bank direct debit mandates are used, these are processed in accordance with the rules of the relevant scheme (such as Bacs) and we retain only the minimum information required to administer the mandate.

Some legacy members originally provided bank account details on a paper membership application form for the purpose of setting up a standing order for their annual membership fee. These details have since been transferred to secure electronic records. Where such records are still held for active standing order members, they are stored securely with access restricted to authorised committee members only, and are used solely for the administration of that standing order. The lawful basis for holding this data is contract — the ongoing membership standing order arrangement. Members may request that these details be reviewed or destroyed at any time by contacting the Chair.

 

6. Lawful Basis for Processing

Under UK GDPR, we must have a lawful basis for processing personal data. The Association relies on the following bases:

  • Legitimate Interests — to deliver our newsletter, membership communications, and charitable activities to our members
  • Contract — where membership has been entered into, to fulfil our obligations to members
  • Consent — where members have explicitly agreed to receive specific communications, such as email newsletters

Where we rely on consent, you have the right to withdraw that consent at any time by contacting us.

 

7. How We Use Your Personal Data

We use personal data only for the following purposes:

  • To distribute our regular printed newsletter by post
  • To send digital newsletters and membership communications by email
  • To send ad hoc letters, leaflets, or event invitations relevant to membership
  • To issue welfare grant information where applicable
  • To notify members of events such as park walks and group activities
  • To collect annual membership fees and donations, processed through authorised payment providers
  • To record Gift Aid declarations where applicable

The Association uses your data to communicate with you about MRIKPA activities. We never pass personal data to third parties for commercial marketing purposes, and we do not sell data.

 

8. Contracted Agents and Third-Party Service Providers

The Association may share member data with trusted third parties only where it is necessary to deliver our membership services. We distinguish between two types of third party:

Contracted Agents

Where we engage an individual or company as an ongoing agent acting on our behalf — such as a contracted digital, website, or communications agent — we require a signed Data Processing Agreement (DPA) to be in place before any personal data is shared. This is a legal requirement under UK GDPR Article 28.

Our contracted agent is responsible for services including: website management, email distribution, design, print fulfilment coordination, event communications, and social media administration. The scope of their access to personal data is limited strictly to what is required for those tasks.

Third-Party Platforms and Services

Some services we use are large, established platforms that process data under their own published Terms of Service and GDPR-compliant data processing terms. These include:

  • Print fulfilment and postal mailing services (such as Stannp) — used to print and post newsletters and membership communications to members’ addresses
  • Email distribution platforms (such as MailPoet) — used to send digital newsletters
  • Payment processing services (such as PayPal) — for membership fees and donations
  • Website hosting providers — for the secure hosting of mrikpa.org.uk

No separate signed agreement is required with these platforms, as they are independently accountable under their own published data processing policies and terms.

Principles Applying to All Third Parties

In all cases — whether using a contracted agent or a third-party platform — the Association ensures that:

  1. Only the minimum personal data necessary for the task is shared
  2. Data is used only for the specific purpose for which it was provided
  3. Data is stored securely and deleted or destroyed once the task is complete
  4. Any data breach or security incident involving our members’ data is reported to the Association without delay

 

9. Data Security

We take the security of your personal data seriously. The safeguards we have in place include:

  • All digital data is stored on password-protected, encrypted systems
  • Access to personal data is restricted to those who need it to carry out their role
  • Contracted agents are required to implement equivalent security measures as part of their Data Processing Agreement
  • Physical documents containing personal data are stored securely and disposed of appropriately when no longer needed
  • Member data is not stored on unsecured personal devices or uncontrolled shared storage

 

10. How Long We Keep Your Data

We retain personal data only for as long as it is needed:

  • Active members: data is held while membership is current and for up to five years after it ends, unless you ask us to remove it sooner
  • Upon a member’s death, their data is removed from our active systems
  • Data shared with contractors or service providers for specific tasks (e.g., a print run) is deleted by the contractor once that task is complete
  • Payment transaction records are retained for up to seven years to comply with HMRC requirements (including Gift Aid records)

At the end of the retention period, data is reviewed and securely deleted or anonymised.

 

11. Your Rights

Under UK GDPR, you have the following rights in relation to your personal data:

  • Right of Access — to request a copy of the data we hold about you
  • Right to Rectification — to ask us to correct inaccurate or incomplete data
  • Right to Erasure — to ask us to delete your data where there is no longer a legitimate reason to hold it
  • Right to Object — to object to us processing your data for a particular purpose
  • Right to Restrict Processing — to ask us to limit how we use your data
  • Right to Data Portability — to receive your data in a structured, commonly used format

To exercise any of these rights, please contact our Data Protection Lead via the contact details on our website at www.mrikpa.org.uk. We will respond within one calendar month.

 

12. Social Media

Our digital and communications agent manages our social media accounts (including Facebook and Google Business Profile) on our behalf. No personal member data is shared with social media platforms directly. Our social media activity is limited to public-facing communications, event promotion, and community engagement consistent with our charitable purposes.

 

13. Raising a Concern

If you have a concern about how we are handling your personal data, please follow these steps:

  1. Contact our Data Protection Lead in the first instance. Their contact details are on our website at www.mrikpa.org.uk. Contact Mr Mike Kewley via support@mrikpa.org.uk
  2. If you remain dissatisfied, contact the Chair of the Association’s Committee via chair@mrikpa.org.uk
  3. You may also write to us at: MRIKPA, 12 Carrington Lane, Sale, M33 5ND
  4. If the matter is not resolved, you have the right to raise a complaint with the Information Commissioner’s Office (ICO) at www.ico.org.uk or by calling 0303 123 1113.

 

14. Policy Review

This policy will be reviewed annually by the Association’s Committee, or sooner if there is a significant change in how we process personal data or in the applicable law.

Ref: MRIKPA-DPP-V2.1-2026  |  Registered Charity No. 516871  |  www.mrikpa.org.uk

Visit our Facebook Group