At The Priory of England and the Islands we take your privacy very seriously and are committed to protecting the security of your personal information.
This Policy explains how we, The Priory, may collect and use the information you give us or we receive about you, the conditions under which we may disclose it to others and how we keep it secure.
We may change this Policy from time to time so please check this page occasionally to ensure that you’re happy with any changes. By using our websites, you agree to be bound by this Policy. This Policy also covers certain information you provide to us or that we collect about you in other ways e.g. when you contact us by telephone or email or we receive information about you in other ways such as in relation to an event booking or attendance at an event. If you engage with us other than via our websites, we will make you aware of this Policy when we collect your information.
The Priory has appointed a Data Protection Officer, who can help you with any queries about the information in this Policy: by email- or by post- marked for the attention of the Data Protection Officer at Priory of England and the Islands of The Order of St John, St John’s Gate, St John’s Lane, London EC1M 4DA.
This Policy contains the following sections:
1. WHO WE ARE
The Priory of England and the Islands of the Most Venerable Order of The Hospital of St. John of Jerusalem is a registered charity in England and Wales (charity number 1077265). The Priory is a part of the Order of St John (The Most Venerable Order of the Hospital of St John of Jerusalem (charity number 235979)) and is responsible for delivery of the Order’s charitable mission in England and oversees the semi-autonomous Commanderies in Northern Ireland, Jersey, Guernsey and the Isle of Man.
The Priory’s main role is to support its well-known subsidiary, St John Ambulance®, in its first aid and caring work in the community. The Order of St John is an Order of Chivalry of the Crown and first came into being around 1080 when a hospital was established in Jerusalem by Benedictine monks to provide care for pilgrims making the long journey to the Holy City. Since that time the Order has developed and flourished and is now a leading international humanitarian charity, recognised at the United Nations, with around 400,000 volunteers and staff in 40 countries.
The Priory is also the custodian of the Museum of the Order of St John and manages the Museum along with events and activities held there and the hiring out of it (or part of it) as a venue.
Information that The Priory holds about individuals in relation to nominations for membership of the Order of St John is exempt from various requirements of the General Data Protection Regulation 2016 by virtue of section 15 of Part 2 of Schedule 2 of the UK Data Protection Act 2018, including the requirement to provide a privacy notice, due to such information being processed for the purposes of conferring by the Crown of any honour or dignity. Accordingly, this Policy does not apply to any such information held by The Priory including any special category information held for those purposes.
2. WHAT TYPE OF PERSONAL INFORMATION IS COLLECTED FROM YOU
The personal information we collect from you is limited to what is necessary to enable us to carry out the purposes for which it is collected. The type of personal information we collect depends on the context of your interactions with The Priory and the choices you make, including your privacy settings.
The data we may collect, store and use can include the following:
Name, contact and identity information. We may collect your first and last name, title, job title and company name, email address, postal address, phone number and other similar contact data, and date of birth.
Payment information. We collect data necessary to process your payment if you make a donation or hire part of our premises for an event, such as your payment instrument number (such as a credit card number or bank account number) and the security code associated with your payment instrument.
Whether you are a U.K. tax payer for claiming gift aid.
Any personal information which you choose to provide us with in correspondence with you, such as details regarding particular accessibility, health, medical or dietary requirements for you or a guest when visiting or attending an event at our premises.
Information regarding your sexual orientation if you book a wedding or other similar event to be held at our premises.
Photographs and CCTV footage.
Your I.P. address (or Internet Protocol Address). This is a unique address that computing devices such as personal computers, tablets, and smartphones use to identify itself. An I.P. address is analogous to a street address or telephone number and could therefore be used to identify you.
We may collect other online identifiers including cookies information (for more information please see section 14 (‘Cookies Policy’)), the internet browser and devices you are using and the pages you visited on our website and how long you visited us for.
You have choices about some of the personal information we collect. When you are asked to provide personal information, you may decline. Please note that if you choose not to provide personal information that is necessary to enable us to carry out your request- for instance, to make a donation, for information or to receive a newsletter- we may not be able to fulfil that request.
We may provide links via The Priory’s websites to other websites or you might independently visit the website of a third party who provides services on our behalf, such as our event booking service. The privacy practices of these third-party websites are outside our control and in these cases, you should check the privacy notices of any third-party websites before disclosing any personal information.
3. HOW WE COLLECT YOUR PERSONAL INFORMATION
There are various ways you might share your personal information with The Priory, depending on how you interact with us. At present we offer the following channels of communication (though not all may be available to you and will depend on the reason for your contact with us):
Websites – online forms
Face to face
For instance, you might provide personal information when making a donation to us through our websites, by text, by telephone or by completing a direct debit form which you send to us by post.
You might send us an e-mail requesting support from or information about The Priory or to subscribe to a newsletter or book an event, and personal information might be collected by us to enable us to deal with your enquiry.
If you participate in our governance arrangements or a County Priory Group, you will have been asked to provide us with contact details in order that we can advise you of meetings dates and/or provide papers and minutes of meetings to you.
If you work with us as a supplier, we will require your contact details in order to liaise with you and administer our commercial relationship.
When you contact us by telephone, such as for support or information or to make enquiries or book an event, telephone conversations with our representatives may be monitored and recorded.
Some of our premises are monitored by CCTV and footage may be captured for security and safety purposes.
When you visit our websites we use marketing analytics products and providers to measure the effectiveness of our websites, which may entail the collection of personal information in the form of online identifiers.
Our related charities – St John Ambulance® and the Order of St John.
A third party booking an event at which you will be attending or participating in.
Someone who may post a photograph or information relating to you to our social media platforms.
Publicly-available information such as newspaper or online media items; public posts on LinkedIn or social media; open government databases such as Companies House; databases of grant-funding opportunities and other data in the public domain. Please refer to section 7 (‘Profiling’) below for more information about how we may use this information.
4. HOW WE USE YOUR PERSONAL INFORMATION
There are various ways in which we may use or process your personal information. We list these below and the legal basis we rely on in each case.
Where you have provided your consent, we may use and process your personal information to:
Contact you from time to time about our events, activities, or information which we reasonably think may be of interest to you (please be assured that we will not spam you).
Promote The Priory events, services, and activities including through our mailings and social media- for example, where you have consented to us using a review you have written or photograph or video footage featuring you at an event such as a dedication ceremony or a wedding (or a child aged under 13).
You can withdraw your consent at any time by contacting us using the details provided within section 5 below (‘Your Right To Withdraw Consent To Processing Of Personal Information’) or, in relation to any marketing messages you receive, by using the unsubscribe option included in those messages.
We may use and process your personal information to perform a contract with you (or a contract made with someone else which requires us to provide goods or services to you, such as hiring part of our premises for an event or attending a talk or activity) and to fulfil and complete other transactions entered into with us such as selling or loaning an item to us.
We may use and process your personal information where it is necessary for us to carry out activities which are in our legitimate interests as a charity. The main legitimate interests we rely on are:
to fulfil the charitable purposes of The Priory by fundraising through donations, events, activities and by sustaining and raising the profile of our organization through careful marketing.
To operate lawfully and effectively and to administer all aspects of our business as a charity, including administering governance arrangements and your participation in them.
To operate and manage the Museum of the Order of St John.
Processing donations and legacies
We will process your personal information to fulfil your request to make either a one-off or regular donation to us and to carry out reasonable administration of your donation, which could include thanking you and confirming your direct debit details with you. Where you have made a gift-aid declaration this will include processing your information to enable us to claim gift-aid. We will also process personal information where reasonably required to administer a legacy that has been left to The Priory.
Processing newsletter subscriptions
We will process your personal information to fulfil your request to subscribe to a newsletter about our events and activities.
Supporting customers and supporters with requests for information
We will process your information to fulfil your request for information about becoming a supporter, our events, activities or venue hiring opportunities.
Supporting customers with booking events and activities
We will process your personal information to respond to any correspondence you send us and fulfil the requests you make to us, both before and after booking. We will also process your personal information to carry out reasonable administration of your order or booking.
Administering sales / loans / gifts to the Museum
Where you kindly loan or gift an object or materials to the Museum or sell to us an object or materials, we will process your personal information to manage that transaction and deal with any ongoing queries or issues.
Processing necessary for us to understand and respond to customers’ and supporters’ needs
We may process personal information to analyse, evaluate and improve your customer/supporter experience of our staff and web-sites and to improve our support and services (we will generally use data amalgamated from many people so that it doesn’t identify you personally).
You may choose to give us feedback on any of your experiences with The Priory and your feedback together with any personal information you provide will enable us to analyse, evaluate and improve your customer/supporter experience and to respond to you as appropriate (although feedback is generally given on an anonymous basis).
We may undertake market analysis and research (including contacting you with customer/supporter surveys) so that we can better understand you as a customer/supporter and provide tailored information, products and services that we think you will be interested in. We will only send marketing communications to you if you have provided your consent for us to do so or in certain cases, if we have a legitimate interest in doing so.
Profiling our existing and potential customers and supporters
We may use profiling and screening techniques to ensure communications are relevant and timely, and to provide an improved experience for our customer/members/supporters. Please see section 7 (‘Profiling’) for further information. You can let us know if you do not want us to use your personal information in this way.
Processing necessary for us to promote our business, products and services and measure the reach and effectiveness of our campaigns
We may also contact you from time to time with marketing information (unless you object) if you are acting on behalf of a business or where we have obtained your business contact details from a data broker or public business directory. In relation to any such information we send by email or SMS, we will include an option allowing you to object to receiving future messages by unsubscribing.
We may contact you with targeted advertising delivered online through social media and other platforms operated by other companies, unless you object. You may receive advertising based on information about you that we have provided to the platform or because, at our request, the platform has identified you as having similar attributes to the individuals whose details it has received from us. To find out more, please refer to the information provided in the help pages of the platforms on which you receive advertising from us.
We may use photographs or video footage which feature you, but which do not identify you by name, to promote The Priory.
Processing necessary for us to operate the administrative and technical aspects of our charity efficiently and effectively
We may have to share your personal information with third parties, as described in section 6 (‘Data Sharing’) below.
We may have to verify the accuracy of information that we hold about you and create a better understanding of you as a customer/member/supporter.
We may process your personal information for network and information security purposes, for example, for us to take steps to protect your information against loss, damage, theft or unauthorised access.
We may process your personal information to comply with a request from you in connection with the exercise of your rights (for example where you have asked us not to contact you for marketing purposes, we will keep a record of this on our suppression lists in order to be able to comply with your request).
We may process your personal information to inform you of updates to our terms and conditions and policies.
Processing necessary to protect our premises, property and people
We may process personal information for crime prevention and detection purposes and to keep our people safe. For example, some of our premises have CCTV cameras.
We may process your personal information to comply with our legal requirements (for example, to liaise with The Charity Commission, HMRC or the Information Commissioner’s Office).
Other grounds for processing
Sometimes we will need to process your personal information if, for example, you are attending one of our events and are in need of urgent medical care.
We administer membership of the Order of St John and provide information and support to those members, as well as informing them of the work of the Order of St John and inviting them to relevant events and activities.
Grounds for processing of special category information
If you provide to us or we obtain information that is considered to be “special category” information – that is revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, the processing of genetic data, biometric data for the purpose of uniquely identifying you, data concerning health or sex life or sexual orientation – we are required to have a further ground to process this information.
Where you have provided your explicit consent, we may use and process your personal information to:
Arrange or help you arrange a wedding or other celebration being held at our premises.
Accommodate any particular accessibility, health or dietary requirements at an event or activity.
Sometimes we will need to process your personal information if, for example, you are attending one of our events and are in need of urgent medical care and we are not able to obtain consent from you.
Sometimes we will need to process your personal information to establish, exercise or defend legal claims.
Substantial public interest
There are a number of different grounds upon which we may need to process your personal information that are set down under UK data protection rules including:
The processing being necessary for the exercise of a function of the Crown.
Identifying and monitoring equal of opportunity or treatment or diversity.
Preventing, detecting or protecting the public against unlawful acts, fraud and dishonesty.
Safeguarding the economic well-being of certain individuals such as our support of the Defence Medical Welfare Service.
We retain a large number of historical documents that may contain information about living identifiable individuals.
Change of purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in accordance with this Policy, where this is required or permitted by law.
5. YOUR RIGHT TO WITHDRAW CONSENT TO PROCESSING OF PERSONAL INFORMATION
If you have consented to the collection, processing and transfer of your personal information for a specific purpose(s), you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact our Data Protection Officer by email- or by post- marked for the attention of the Data Protection Officer at Priory of England and the Islands of The Order of St John, St John’s Gate, St John’s Lane, London EC1M 4DA.
As quickly as possible and in any event within 30 days of receiving notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to (unless we have another legitimate basis for doing so in law). Please note that if you ask us to stop sending marketing information or newsletters we will update our records to stop further mailings as quickly as we can, but you may still receive further mailings which were already in progress prior to your asking us to stop for up to 2 months.
The withdrawal of your consent will not affect the lawfulness of our processing based on your consent before you withdrew your consent.
6. DATA SHARING
We will not sell or rent your information to third parties.
We may have to share your data with third parties, as described below. If we do, you can expect a similar degree of protection in respect of your personal information to that provided by us. We require third parties to respect the security of your data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
We may pass your personal information to St John Ambulance®, as staff and volunteers carrying out work for The Priory are employed or engaged by St John Ambulance®. We may also pass it to the Order of St John.
We may pass your personal information to our third-party service providers, including contractors and designated agents, and other associated organisations for the purposes of completing tasks on our behalf (for example to process donations and payments, to fundraise, send you newsletters, and to assist us with marketing analysis). However, when we use third party service providers, we disclose only the personal information that is reasonably necessary to deliver the service.
Data transfers to parties outside the EU
There may be some instances where your personal information is processed or stored outside of the EU. In those instances, we will ensure that appropriate safeguards are in place for that transfer and storage as required by applicable law.
The Priory operates in the Bailiwicks of Jersey and Guernsey and in the Isle of Man, each of which are outside of the EU. Personal information provided to The Priory may be given to our local offices in those territories and stored in data retrieval systems in the territory, but only when you request information or services relating to our operation in those territories. There is an adequacy decision by the European Commission for these countries, which means that they are deemed to provide an adequate level of protection for your personal information.
Profiling is often used in direct marketing and involves analysing data to improve the targeting of communications. We may use profiling and screening techniques to ensure communications are relevant and timely, and to provide an improved experience for our customers/members/supporters. If you do not wish your data to be used in this way, you are entitled to object. Please see section 13 below (‘Your Rights in Connection with Personal Information’) on how to do this.
We may carry out profiling of potential donors to ensure that we are engaging with the people most likely to support The Priory. Profiling allows us to target our resources effectively and help ensure that we only send you information we reasonably think will be of interest to you.
We may also use profiling techniques to perform Due Diligence research as required by the Fundraising Regulator’s Code of Fundraising Practice, for example when certain levels of donation are made. More details can be found at www.fundraisingregulator.org.uk.
When building a profile, we may analyse geographic, demographic and other information relating to you in order to better understand your interests and preferences, so we can contact you with the most relevant communications. In doing this, we may use additional information from third party sources when it is available, such as publicly available data about you (for example, addresses, listed directorships on Companies House, property prices on the Land Registry or typical earnings in a given area). We may also gather additional data which is freely available in the public domain (for example, newspaper articles or online sources).
We do this because it allows us to understand the background of the people who support us and helps us make appropriate requests to supporters who may be able and willing to give more than they already do and to predict the level at which donors may be able to support The Priory in the future. Importantly, it enables us to raise more funds, sooner, and more cost-effectively, than we otherwise would.
8. HOW LONG WE KEEP YOUR PERSONAL INFORMATION FOR
We will only retain your personal information for as long as necessary for the purposes we collected it for, as set out in our Data Retention Schedule, including for the purposes of satisfying any legal, accounting or reporting requirements. To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your data, the potential risk of harm from unauthorised use or disclosure of your data, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
For further information about the retention period in a particular case, please contact our Data Protection Officer by email- or by post- marked for the attention of the Data Protection Officer at Priory of England and the Islands of The Order of St John, St John’s Gate, St John’s Lane, London EC1M 4DA.
11. HOW WE KEEP YOUR DATA SAFE
The Priory would like to reassure you that we use appropriate security measures to protect your personal information against unauthorised or unlawful processing and against accidental loss, destruction or damage. These measures may include, but are not limited to, a range of organisational safeguards such as staff training and duties of confidentiality and the following technical safeguards listed below. We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach, where we are legally required to do so.
Encryption is the process of converting data to an unrecognizable or “encrypted” form. This means that only the sender and intended recipient can view it in a meaningful way. If the encrypted data is stolen, it should not be possible to change it back to readable data.
Pseudonymisation changes data that can be used to identify a person into data that can’t be used to identify a person. This is done by replacing the data that can be used to identify someone with other data, for example, changing someone’s date of birth to 01/01/1700.
Certification from third parties
We engage security experts to test or confirm that our systems meet relevant security standards.
Secure log on/authentication
As well as requiring staff to enter usernames and passwords, our systems also check that a particular computer or program is authorised to access and manipulate data before allowing it to do so.
Access controls and role based access controls
Staff are prevented from accessing our systems unless they enter their user name and password. In addition, we restrict whose personal data each user can access depending on their role at The Priory and individual data files are password protected. We also limit access to your personal information to those agents, contractors and other third parties who have a business need to know. Everyone with access to your personal information are subject to a duty of confidentiality and will only process your personal information on our instructions.
Data back-up and restoration
We regularly back-up our systems and data which means that we can restore or recover the system and data from a back-up file.
We protect our network by using Firewalls that only allow access between different networks based upon strict security criteria. For example, a Web Application Firewall filters, monitors and blocks any internet traffic to and from a web application such as webmail and online forms. It detects and blocks anything malicious.
System testing and monitoring
We regularly test whether our systems are secure. We also engage independent companies to test whether our systems are secure. We regularly monitor our systems for signs of hacking and attacks and we use anti-virus software to detect and prevent computer viruses.
Data Loss Protection tools
Data Loss Protection tools place limits on where users can save data. For example, users might be prevented from sending data by email or saving it onto their home computer.
Mobile Device Management
Mobile phones and laptops are mobile devices. Mobile Device Management allows organisations to limit the locations where personnel can save data to on their mobile device. When a staff member of The Priory leaves our organisation or loses a laptop or mobile, the data can be wiped from the laptop or mobile remotely.
12. CHANGES TO YOUR PERSONAL INFORMATION
Please let us know if your contact information changes so that we can ensure that our records are accurate and up to date. You can request that we change your contact details by contacting our Data Protection Officer by email- or by post- marked for the attention of the Data Protection Officer at Priory of England and the Islands of The Order of St John, St John’s Gate, St John’s Lane, London EC1M 4DA.
13. YOUR RIGHTS IN CONNECTION WITH PERSONAL INFORMATION
By law you have the right to:
Request access to your personal information (commonly known as a ‘data subject access request’). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
Request correction of the personal information we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us to continue processing it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for process it.
Request the transfer of your personal information to another party.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please send a written request to our Data Protection Officer by email- or by post- marked for the attention of the Data Protection Officer at Priory of England and the Islands of The Order of St John, St John’s Gate, St John’s Lane, London EC1M 4DA.
We will ask you for information to confirm your identity and, where applicable, to help us search for your personal information. Except in rare cases, we will respond to you within 30 days after we have received any request (including any identification documents requested). We will also explain if any of the rights do not apply in your particular circumstances.
To make full use of the online and personalised features on The Priory websites, your computer, tablet or mobile phone will need to accept cookies, as we can only provide you with certain personalised features of this website by using them.
Our cookies don’t store sensitive information such as your name, address or payment details: they simply hold the ‘key’ that, once you’re signed in, is associated with this information.
You can restrict, block or delete cookies from The Priory at any time through your browser. Each browser is different, so check the ‘Help’ menu of your particular browser (or your mobile phone’s handset manual) to learn how to change your cookie preferences.
More information about cookies and how to control how they are set can be found at www.allaboutcookies.org
You can find out more information about how our cookies work here.
15. ORGANISATION CONTACT
We have appointed a Data Protection Officer to oversee compliance with this Policy. If you have any questions about this Policy or how we handle your personal information, please contact our Data Protection Officer by email- or by post- marked for the attention of the Data Protection Officer at Priory of England and the Islands of The Order of St John, St John’s Gate, St John’s Lane, London EC1M 4DA.
16. RIGHT TO MAKE A COMPLAINT
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. The contact details for the Information Commissioner’s Office, the data protection regulator in the UK, are below:
Information Commissioner’s Office
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.