Privacy notice

Key things to know about our approach to privacy and why we have this Privacy Notice

The Dunhill Medical Trust is a registered charity with charity number 1140372, registered company number 07472301 and registered office address Thanet House 231-232 Strand London WC2R 1DA. We regard the lawful and correct treatment of your personal information as very important and are fully committed to the principles of data protection, as set out in the General Data Protection Regulation (GDPR) which came into effect on 25 May, 2018 and updated subsequently by UK GDPR, which came into effect on 1 January, 2021.

Our Privacy Notice will help you understand what information we collect, how we use it, how we protect any information that you give us and what choices you have.

A quick note on terminology

  • Personal data’ means data which can be used to identify an individual and includes information about that individual. Special category data is personal data that needs more protection because it is sensitive. Where we collect special category data, we must complete a legitimate interest assessment (LIA).
  • When we use the words “we”, “us”, or “our” in this policy, it refers to the Dunhill Medical Trust only.
  • The Dunhill Medical Trust is defined by the General Data Protection Regulation as a ‘data controller’ which means that we are responsible for how and why personal data is used.

Communicating changes to this Privacy Notice
We may need to change this notice from time to time. If we do so, we will post any changes on this page. If you continue to use services which rely on your consent to process your personal data after those changes take effect, you will be asked to agree to the revised notice.  

Queries and contact details
Please send any queries about the information in this Privacy Notice or the information we hold about you to [email protected] or call 020 7871 5401.

What are the lawful bases we use for processing your data?

We process personal data in connection with our charitable activities.

The General Data Protection Regulation sets out a number of bases on which we may rely for legal processing of data. We use the lawful bases of ‘consent’, ‘contract’ and ‘legitimate interests’.

The lawful bases will differ depending on the nature of your relationship with us. Please select the box below which is relevant to you.

We have carried out a Legitimate Interest Impact Assessment in relation to the special category data we collect.

We use ‘consent’ as the lawful basis for processing your personal data in relation to the grant application process and for sending you information about our news and activities. This means you need to agree to us processing your details in order that the application can proceed, and in some circumstances, to information relating to the application being sent outside the European Economic Area. Those circumstances relate to some grant schemes for academic and clinical researchers, where peer review forms part of our grant assessment procedure. You will be advised when making your application if this is the case.

We also use ‘consent’ as the lawful basis for processing your personal data where you have registered your contact details on our Grants Management System or via the Contact Us form on our website, joined the DMT Academy or are a member of the UK Ageing Research Funders’ Forum (UKARFF) and requested that we send you updates about the Trust’s news and events and/or the activities of the Academy or UKARFF.

Should a grant application you make to us be successful, we will then rely on the lawful basis that processing is necessary for the performance of the contract with you which will be made with you to enable both us and you to fulfil the obligations relating to the grant award.  Similarly, if we enter into a contract with you as a supplier or consultant, we will rely on the lawful basis that processing is necessary for the performance of the contract.

The ‘Legitimate interests’ lawful basis is used for all other aspects of our work.  This means the interests of our organisation in conducting and managing our activities in a way that you would reasonably expect, with a minimal privacy impact, and taking into account your rights and interests.  For example, for grant-holders, once the obligations of a grant award have been fulfilled, we will retain the information contained in the application for statistical purposes, as set out in the section on data retention periods

For suppliers and consultants (or potential holders of these capacities), we will retain the contact information you provide to us and use it to contact you in pursuit of our day-to-day activities.

We will use the “Legitimate interests” lawful basis in our dealings with you. This means the interests of our organisation in conducting and managing our activities in a way that you would reasonably expect, with a minimal privacy impact, and taking into account your rights and interests.

We will use the “Legitimate interests” lawful basis to process your application to us.  This means the interests of our organisation in conducting and managing our activities in a way that you would reasonably expect, with a minimal privacy impact, and taking into account your rights and interests.

Once you accept an offer of employment, we will then rely on the contract lawful basis which will be made with you to enable both us and you to fulfil the obligations relating to the employment.

What personal data might we hold about you?

We will hold different kinds of personal data depending on the nature of your relationship with us. Please select the box below which is relevant to you.

The personal data we hold about you includes:

  • Your full name and honorifics
  • Your job title
  • The name and address of the organisation you work for or are associated with
  • Your email address – in most instances this will be an organisational email address
  • Your telephone number – again, in most instances this will be an organisational telephone number
  • Current and previous job titles and employers
  • Educational qualifications
  • Any further information you choose to supply to us in a curriculum vitae, including your date of birth

From November 2022, we will be asking grant applicants to provide data to help the Trust monitor and comply with its equality, diversity, and inclusion policy. Applicants will have the option of providing data on age, gender, racial or ethnic origin and disability status as part of the application process.

We store this information securely, either on our own systems, or for grant applications/records, on our Grant Management System, provided by Fluent Technology. We make every effort to ensure the information is kept up to date. All of our staff take responsibility for doing so and have been trained in the principles of data protection.  You are also encouraged to review the information we hold on you and to tell us if it needs updating or correction.

Grant holders and applicants are able to update their details directly via the Grant Management System. However, we will also amend your record for you if you tell us that your details have changed (and we can verify your identity) by emailing [email protected]. You can unsubscribe from any mailing you receive from us via the software service we use for the purpose by clicking “unsubscribe”.  If you would like us to delete your record, we will do this if you let us know.

Your personal data is stored and used only for the intended purpose, and we take steps to collect only the minimum personal data necessary for that purpose.

We will hold information that you supply to us as part of your recruitment as a Trustee or committee member and in order to ensure that you receive reimbursement of your expenses.  This information will be treated in confidence and in accordance with the principles of the GDPR.

The personal data we hold on you as a Trustee or committee member or applicant to those positions includes:

  • Your full name and honorifics
  • Your job title
  • Your home address
  • Personal contact details – telephone/mobile numbers and/or personal email address
  • Current and previous job titles and employers
  • Educational qualifications
  • Any further information you choose to supply to us in a curriculum vitae
  • Bank account details (if you have claimed travel expenses).

Once you are appointed as a Trustee or committee member, we will also hold:

  • Date of birth
  • Copies of identification documents (with photographic identification) such as passport or driving licence.

Current Trustees and Committee members (as at November 2022) will be offered the option to provide data on age, gender, racial or ethnic origin and disability status to help the Trust monitor and comply with its equality, diversity, and inclusion policy.

In the case of peer reviewers, we will hold only full name and a publicly available email address in order to contact you in the first instance.  We will gather these from university websites. If you agree to become a peer reviewer, we will ask you to provide:

  • Your full name and honorifics
  • Your job title
  • The name and address of the organisation you work for or are associated with
  • Your email address – in most instances this will be an organisational email address
  • Your telephone number – again, in most instances this will be an organisational telephone number

Your personal data is stored and used only for the intended purpose, and we take steps to collect only the minimum personal data necessary for that purpose.

We will hold information that you supply to us as part of your recruitment as an employee and in order to ensure that you are paid.  This information will be treated in confidence and in accordance with the principles of the GDPR.

The personal data we hold on you as a job applicant includes:

  • Your full name and honorifics
  • Your job title
  • Your home address
  • Personal contact details – telephone/mobile numbers and/or personal email address
  • Current and previous job titles and employers
  • Educational qualifications and copies of original certificates
  • Any further information you choose to supply to us in a curriculum vitae
  • Bank account details (if you have claimed travel expenses)

Once you become an employee, we will also hold:

  • Contact details of next-of-kin or other emergency contact (telephone/mobile numbers and/or personal email address)
  • Copies of identification documents (with photographic identification) such as passport or driving licence
  • Gender
  • Marital status
  • Bank account details
  • Data we are required to hold by Her Majesty’s Revenue and Customs
  • National Insurance number
  • Date of birth
  • Any health records and disability information you have chosen to provide
  • Pension fund arrangements
  • Appraisal records gathered in the course of your employment with us.

Current staff (as at November 2022) will be offered the option to provide data on age, gender, racial or ethnic origin and disability status to help the Trust monitor and comply with its equality, diversity, and inclusion policy.

We store this information securely on our own systems. Some information will also be stored, under agreement, with our accountants for payroll purposes. This information is kept as up-to-date as possible – employees are responsible for informing the Executive Director of any changes in their personal data.

Your personal data is held only in relation to your employment with us and will not be used for other purposes.

The personal data we hold about you includes:

  • Your full name
  • Your email address. In most instances this will be an organisational email address

You can unsubscribe from any mailing you receive from us via the software service we use for the purpose by clicking “unsubscribe”. If you would like us to delete your record, we will do this if you let us know.

Your personal data is stored and used only for the intended purpose, and we take steps to collect only the minimum personal data necessary for that purpose.

How do we use your information?

We will need to use your personal data in differing ways, depending on the nature of your relationship with us. Please select the box below which is relevant to you.

We access and use the information as necessary and in accordance with your instructions:

  • To provide you with news and information about our work, events and grants programme, if you have chosen to receive it. You can change your preferences as to whether you receive this information at any time.
  • To support you on a funding programme, including to access the funds agreed relating to a grant award and to meet the reporting obligations relating to the award.
  • To personalise and customise your experience with our website.
  • To communicate with you, including by email, post or telephone.
  • To verify your identity and position.
  • To investigate any complaints about or made by you, or if we have reason to suspect that you are in breach of any of our terms and conditions or that you are or have been otherwise engaged in any unlawful activity.

Equality, diversity and inclusion data, if provided, is used solely for statistical purposes to monitor compliance with the Trust’s policy.

We do not undertake any automated decision-making in our processing of personal data.

We access and use the information to provide you with news and information on the Trust’s work, events and grants programmes, if you have chosen to receive it. You can change your preferences as to whether you receive this information at any time.

In the case of peer reviewers, we will use the information to contact you about applications you are reviewing for us or to contact you regarding new applications you might agree to review for us.

In the case of suppliers and consultants, we will access and use the contact information with which you provide us in pursuit of the work for which we have engaged you.

Equality, diversity and inclusion data, if provided, is used solely for statistical purposes to monitor compliance with the Trust’s policy.

We do not undertake any automated decision-making in our processing of personal data.

We access and use the information as necessary for the purposes of:

  • Assessing your job application to us.
  • Administering the payroll and reimbursing expenses.
  • Administering pension contributions.
  • Ongoing management.
  • Health and safety.
  • To communicate with you, including by email, post or telephone.
  • As required by law and regulation, for example, making statutory returns to Her Majesty’s Revenue and Customs.

Equality, diversity and inclusion data, if provided, is used solely for statistical purposes to monitor compliance with the Trust’s policy.

We do not undertake any automated decision-making in our processing of your personal data.

We access and use the information as necessary for the purposes of:

  • Assessing your application to us.
  • Reimbursing your expenses, in accordance with our policy.
  • Confirming your identity.
  • As required by law and regulation, for example, making statutory returns to Companies House and the Charity Commission.
  • Enabling you to process and approve payments on behalf of the Trust.
  • To communicate with you, including by email, post or telephone.

Equality, diversity and inclusion data, if provided, is used solely for statistical purposes to monitor compliance with the Trust’s policy.

We do not undertake any automated decision-making in our processing of your personal data.

What other information might we hold?

We may also hold:

  • Payment and other financial information: we will only hold bank details for institutions for the purposes of making grant-related or other contractual payments, but may hold individuals’ personal bank account details for reimbursement of expenses, as per our expenses policy for trustees, committee members and other individuals, as agreed with us. These will be held on our secure on-line banking system and on our accounting systems, Xero and Dext. These latter two systems are also accessible by our accountants and our auditors with whom we have suitable agreements to ensure confidentiality.   We will only hold such financial information for as long as necessary, for example, until the final payment of a grant has been made, and in line with legal requirements.
  • Surveys and interviews: from time to time, we may conduct surveys and interviews with individuals and organisations from the sector. We will explain any specific implications as part of the activity, should they differ from this privacy notice.

How long do we hold information?

We will hold personal information only for as long as necessary for the stated purpose(s), and in line with any legal, accounting or reporting requirements, for example, in relation to financial information.

If you have simply asked us to keep you informed of our news, events and other information, we will retain your name and email address until you request us not to.

Full details regarding the retention periods for the various categories of data we hold may be downloaded here.

How do we protect the security of your information?

We take data security seriously.  We are Cyber Essentials certified.    We take all reasonable steps to protect the information you provide to us from loss, misuse, and unauthorised access, alteration or disclosure. These steps take into account the sensitivity of the information we collect, process and store, and the current state of technology, and include firewalls, passwords, secure servers and encryptions of financial transactions.   Our own servers and those of our Grants Management Portal provider, Fluent Technology, are currently based in the UK.

While we will use the email facility provided by our Grants Management System for routine communications with grant holders and grant applicants regarding an application or the ongoing management of a grant, you should be aware, whether  you are a grant applicant, grant holder, employee, trustee, committee member or other individual who has chosen to receive notification of funding opportunities, news or events from the Trust, that we may transfer your name and email address to other mailing services such as Microsoft’s Outlook, MailerLite or JISC.  JiscMail is the UK’s national academic mailing list service, which helps people working in the UK education and research sectors to discuss, debate, collaborate and communicate with peers, experts and partners using mailing lists. Its privacy notice is available here. MailerLite is a service which enables us to design and send email newsletters.  Its security statement may be found here.

We may also invite you to use services such as Eventbrite to register you for any events and meetings we run.  In this case, you will be asked to enter your details into their systems and you will be subject to their data security and privacy policies and arrangements.

As set out in the section above on other data we may hold about you, where we hold personal bank account details, these are stored on our secure on-line banking system and on our accounting systems, Xero and Dext.  Xero’s servers are outside of the European Economic Area and has certified agreements in place with each of its hosting providers to satisfy the requirements relating to the transfer of data from the EU to the US. Dext stores its data on servers based inside the European Economic Area.

On occasion, we may also send you surveys to complete, which may involve you providing your name and contact details, using a service called Smart Survey which uses only UK/EU-based servers that store personally identifiable information in a secure environment.

If you change your mind about receiving this more general information about our work, you may “unsubscribe” from this service by either amending your preferences in My Contact Details in the Grants Management System (if you are a grant applicant or grant holder) or, if you have registered via our website to receive information, news and updates, by clicking on the unsubscribe link at the bottom of any email newsletter you receive from us, or by simply contacting us at [email protected].

When can we share and disclose your information?

It is not our policy to share the information described here with other organisations for commercial gain. There may be circumstances, however, in which we may need to do so for statutory, regulatory or statistical purposes, for example, or to enforce our rights, prevent fraud and for safety. Please select the relevant box below, to see how this applies to you.

We may share information with others for the following reasons:

  • With peer reviewers: We subscribe to the Association of Medical Research Charities’ Principles of Peer Review, so research grant applications will be subject to peer review. This may include sending information outside of the European Economic Area (EEA) to international peer reviewers.
  • With third party service providers and agents: As set out in our policy on protecting the security of your data, we may engage external organisations to process information on our behalf. Additionally, for grant schemes for academic and clinical researchers, we will send information to Europe PMC and for statistical purposes to the Association of Medical Research Charities. Data relating to Community grants will be passed to 360 Giving, an organisation which provides support for funders to publish their grants data openly.  This activity is licensed under the Creative Commons Attribution 4.0 International License, which means that the data are freely accessible to anyone to be used and shared as they wish.
  • To comply with laws: To comply with legal or regulatory requirements and to respond to lawful requests, court orders and legal process.
  • To enforce our rights, prevent fraud and for safety: To protect and defend the rights, property, or safety of us or third parties, including enforcing contracts or policies, or in connection with investigating and preventing fraud.

We do not, under normal circumstances, share information with other organisations, however, if you have registered for an event, may share the data you have provided with third party organisations involved in facilitating the event for that purpose only.

For suppliers or consultants, we may share information with others as follows:

  • To comply with laws: To comply with legal or regulatory requirements and to respond to lawful requests, court orders and legal process.
  • To enforce our rights, prevent fraud and for safety: To protect and defend the rights, property, or safety of us or third parties, including enforcing contracts or policies, or in connection with investigating and preventing fraud.

We do not, under normal circumstances, share information with other organisations except in relation to payroll and pensions.  However, we may share information with others as follows:

  • To comply with laws: To comply with legal or regulatory requirements and to respond to lawful requests, court orders and legal process.
  • To enforce our rights, prevent fraud and for safety: To protect and defend the rights, property, or safety of us or third parties, including enforcing contracts or policies, or in connection with investigating and preventing fraud.
  • To facilitate salary and expenses payments to you: our accounting systems, Xero and Dext are also accessible by our accountants, Moore Kingston Smith, with whom we have a suitable agreement to ensure confidentiality.

We do not, under normal circumstances, share information with other organisations.  However, we may share information with others as follows:

  • To comply with laws: To comply with legal or regulatory requirements and to respond to lawful requests, court orders and legal process.
  • To enforce our rights, prevent fraud and for safety: To protect and defend the rights, property, or safety of us or third parties, including enforcing contracts or policies, or in connection with investigating and preventing fraud.
  • To facilitate making expenses payments to you: our accounting systems, Xero and Dext are also accessible by our accountants, Moore Kingston Smith, with whom we have a suitable agreement to ensure confidentiality.
  • To enable you to make payments on the Trust’s behalf via its bank, C. Hoare and Co. (Trustees only).

Your rights

You have a number of important rights in relation to our processing of your personal data. You can ask to exercise these rights by emailing [email protected].

  • You have the right to be informed about what we are doing with your personal information. We do this by providing you with this Privacy Notice.
  • You have the right to object to the processing of your personal information where we are relying on the legitimate interests lawful basis.
  • You have the right to request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  • If the personal information we hold about you is incorrect or out of date you can ask us to correct it.
  • You have the right to ask us to delete the information that we hold about you where there is no good reason for us continuing to process it. You also have the right to ask us to stop processing personal information where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground. If you ask us to delete your personal information we will not be able to provide our services to you.
  • You have the right to ask us to restrict how we use your personal information for a period of time if you claim that it is inaccurate and we want to verify the position, or if our processing is unlawful but you do not want us to erase your personal information, or for some other limited circumstances. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it. If you ask us to restrict our use of your personal information, we may not be able to provide you with our services.
  • You can also ask us to send another organisation information that you have provided to us in a format that can be read by computer.
  • Where we rely on consent to process your personal information you have the right to withdraw that consent.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights).

Reporting  a concern
If you feel we haven’t handled your data properly, please do contact us and we will do everything we can to rectify the problem. If you feel this doesn’t go far enough, or if you want to report your concern elsewhere, you can contact the Information Commissioner’s Office.

Updating your personal information
While you can contact us at any time to ask us to update your personal data or information preferences, you may also update your data directly:

  • if you have created an account on our Grants Management System, you can amend your personal data or update your contact preferences yourself by logging in to the portal and going to My Contact Details;
  • if you have requested updates via the sign up form on our website, you can click to unsubscribe from messages we have previously sent.

Download this Privacy Notice as a pdf

Reducing vulnerability to cyber attack

We are Cyber Essentials certified. The Cyber Essentials scheme is backed by the Government in an attempt to reduce cyber vulnerability and when implemented correctly, the security controls it outlines should prevent the majority of cyber-attacks.